httptools / llhttp critical CVE's #1621

nlsj1985 · 2022-08-31T19:43:52Z

nlsj1985
Aug 31, 2022

Hi,

I just want to raise your attention on the critical CVE's (9.1 score) that have been reported recently in llhttp by the nodeJS project, and are raised by me in the httptools project.

Please note that there's some controversie (it seems) about mandating CR delimited headers and dropping support for LF delimited headers in the release of llhttp.

As I'm not sure how this impacts projects using httptools and llhttp, I've raised this as an issue in the httptools project.
[https://github.com/MagicStack/httptools/issues/82]

Perhaps some of you can contribute and help get some sense out of what's needed to get this fixed for all beautiful things running on uvicorn.

Thanks!
SJ

Answered by Kludex

Jan 11, 2023

httptools was bumped on uvicorn. Thanks. 👍

View full answer

Kludex · 2023-01-11T12:43:03Z

Kludex
Jan 11, 2023
Maintainer

httptools was bumped on uvicorn. Thanks. 👍

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

httptools / llhttp critical CVE's #1621

{{title}}

Replies: 1 comment

{{title}}

Select a reply

httptools / llhttp critical CVE's #1621

nlsj1985 Aug 31, 2022

Replies: 1 comment

Kludex Jan 11, 2023 Maintainer

nlsj1985
Aug 31, 2022

Kludex
Jan 11, 2023
Maintainer