What the vulnerability does

01Description

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

Key dates

02Disclosure timeline

November 3, 2021 CVE published
April 30, 2025 Record updated