{"id":"CVE-2021-22959","details":"The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp \u003c v2.1.4 and \u003c v6.0.6.","modified":"2026-04-15T23:59:30.933273848Z","published":"2021-11-15T15:15:06.747Z","related":["ALSA-2021:5171","ALSA-2022:0350","CGA-jvjw-wqwq-8x6w","SUSE-SU-2021:3886-1","SUSE-SU-2021:3940-1","SUSE-SU-2021:3964-1","SUSE-SU-2022:0101-1","SUSE-SU-2022:2855-1","openSUSE-SU-2021:1552-1","openSUSE-SU-2021:1574-1","openSUSE-SU-2021:3940-1","openSUSE-SU-2021:3964-1","openSUSE-SU-2024:11616-1","openSUSE-SU-2024:11637-1","openSUSE-SU-2024:12237-1","openSUSE-SU-2025:15095-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"11.0"}]}]},"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5170"},{"type":"REPORT","url":"https://hackerone.com/reports/1238709"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"9e3645fe9e0c84e1350c4b88cfb9fdf432c97fce"},{"last_affected":"2b9eb103d1668cf5eac22fe85bdad7513681d9e3"}],"database_specific":{"source":"CPE_FIELD","cpe":["cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*","cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"20.3.4"},{"last_affected":"21.3.0"}]}}],"versions":["vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-20.3.3","vm-20.3.4","vm-21.0.0","vm-21.0.0.2","vm-21.1.0","vm-21.2.0","vm-21.3.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22959.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/llhttp","events":[{"introduced":"0"},{"fixed":"d6ea943d8d1c5092f4bf6e10a6a32cfb2dbeaae3"},{"introduced":"c6a35cccf5c8b36f82036c23cf9c50a7dc2dbd0a"},{"fixed":"69d6db2008508489d19267a0dcab30602b16fc5b"}],"database_specific":{"cpe":"cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.1.4"},{"introduced":"3.0.0"},{"fixed":"6.0.6"}]}}],"versions":["v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.3","v3.0.0","v4.0.0","v5.0.0","v5.1.0","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22959.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}