CVE-2022-32214: 
JavaScript vulnerability analysis and mitigation

CVE-2022-32214 is a medium severity vulnerability affecting the llhttp parser in Node.js versions <14.20.1, <16.17.1, and <18.9.1. The vulnerability was discovered by Zeyu Zhang (@zeyu2001) and disclosed on July 7th, 2022. The issue exists in the http module where the parser does not strictly use the CRLF sequence to delimit HTTP requests (NodeJS Blog).

The vulnerability stems from improper delimiting of header fields in the llhttp parser component of Node.js's http module. The parser's failure to strictly enforce CRLF (Carriage Return Line Feed) sequence for HTTP request delimitation creates a security weakness. This implementation flaw affects all versions of the 18.x, 16.x, and 14.x release lines prior to the security patches (NodeJS Blog).

The vulnerability can lead to HTTP Request Smuggling (HRS) attacks. HTTP Request Smuggling can allow attackers to bypass security controls, gain unauthorized access to sensitive data, or perform other malicious actions by manipulating how different systems interpret HTTP requests (NodeJS Blog).

The vulnerability has been fixed in Node.js versions 14.20.0, 16.16.0, and 18.5.0. Users should upgrade to these versions or later to mitigate the vulnerability. The fix is included in llhttp v6.0.7 and llhttp v2.1.5, which have been integrated into the Node.js security releases (NodeJS Blog).