{"id":"CVE-2021-22960","details":"The parse function in llhttp \u003c 2.1.4 and \u003c 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.","modified":"2026-04-09T07:27:35.961800Z","published":"2021-11-03T20:15:08.247Z","related":["ALSA-2021:5171","ALSA-2022:0350","CGA-fhjw-9446-5fjm","MGASA-2021-0592","SUSE-SU-2021:3886-1","SUSE-SU-2021:3940-1","SUSE-SU-2021:3964-1","SUSE-SU-2022:0101-1","SUSE-SU-2022:2855-1","openSUSE-SU-2021:1552-1","openSUSE-SU-2021:1574-1","openSUSE-SU-2021:3940-1","openSUSE-SU-2021:3964-1","openSUSE-SU-2024:11616-1","openSUSE-SU-2024:11637-1"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5170"},{"type":"REPORT","url":"https://hackerone.com/reports/1238099"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"9e3645fe9e0c84e1350c4b88cfb9fdf432c97fce"},{"introduced":"0"},{"last_affected":"2b9eb103d1668cf5eac22fe85bdad7513681d9e3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"20.3.4"},{"introduced":"0"},{"last_affected":"21.3.0"}]}},{"type":"GIT","repo":"https://github.com/nodejs/llhttp","events":[{"introduced":"0"},{"fixed":"d6ea943d8d1c5092f4bf6e10a6a32cfb2dbeaae3"},{"introduced":"c6a35cccf5c8b36f82036c23cf9c50a7dc2dbd0a"},{"fixed":"69d6db2008508489d19267a0dcab30602b16fc5b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.4"},{"introduced":"3.0.0"},{"fixed":"6.0.6"}]}}],"versions":["v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.3","v3.0.0","v4.0.0","v5.0.0","v5.1.0","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.0.5","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-20.3.3","vm-20.3.4","vm-21.0.0","vm-21.0.0.2","vm-21.1.0","vm-21.2.0","vm-21.3.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22960.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}