What the vulnerability does

01Description

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

Key dates

02Disclosure timeline

November 15, 2021 CVE published
April 30, 2025 Record updated