CVE-2021-22959 is a vulnerability classified as HTTP Request Smuggling (CWE-444) affecting the NodeJS runtime environment, specifically the Node product versions 4.0 through 16.0. The root cause lies in the HTTP parser component (llhttp) used by NodeJS, which incorrectly accepts HTTP headers that contain a space character immediately following the header name and before the colon delimiter. This non-standard parsing behavior can be exploited to craft malicious HTTP requests that are interpreted differently by front-end proxies and back-end servers, leading to HTTP Request Smuggling attacks. Such attacks enable an adversary to bypass security controls, poison web caches, conduct cross-site scripting (XSS), hijack user sessions, or perform web cache deception. The vulnerability affects llhttp versions prior to 2.1.4 and 6.0.6, which are embedded in the affected NodeJS versions. No known exploits have been reported in the wild to date, and no official CVSS score has been assigned. However, the vulnerability is significant due to the widespread use of NodeJS in web application backends and microservices architectures. Exploitation requires an attacker to send specially crafted HTTP requests to vulnerable servers, potentially without authentication, depending on the deployment context. The vulnerability impacts the integrity and confidentiality of HTTP communications and can also affect availability if used to disrupt normal request processing.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on NodeJS-based web services and APIs. HTTP Request Smuggling can lead to unauthorized access to sensitive data, session hijacking, and bypassing of security mechanisms such as web application firewalls (WAFs) and reverse proxies. This can compromise customer data, internal communications, and critical business operations. Industries such as finance, healthcare, e-commerce, and government services, which often use NodeJS for scalable web applications, are particularly at risk. Additionally, the ability to poison caches or manipulate request routing can degrade service availability and trustworthiness. Given the lack of known exploits, the threat is currently theoretical but should be treated proactively due to the ease of exploitation and potential for significant damage once weaponized.

European organizations should prioritize upgrading NodeJS to versions that include patched llhttp components, specifically versions 2.1.4 or later for llhttp < v2.x and 6.0.6 or later for llhttp < v6.x. If immediate upgrading is not feasible, organizations should implement strict input validation and normalization at the web server or proxy level to reject HTTP headers with non-standard formatting, such as spaces after header names before colons. Deploying and tuning Web Application Firewalls (WAFs) to detect and block malformed HTTP requests indicative of request smuggling attempts is recommended. Network segmentation and strict access controls can limit exposure of vulnerable services. Additionally, monitoring HTTP traffic for anomalies and unusual request patterns can provide early detection. Organizations should also audit their NodeJS dependencies and container images to ensure no vulnerable versions are in use. Finally, educating development and operations teams about HTTP protocol compliance and secure coding practices can reduce future risks.