CVE-2022-35256

CWE-444 — HTTP Request Smuggling9 documents9 sources

Severity

6.5MEDIUM

EPSS

3.9%

top 11.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Llhttp Llhttp Nodejs Node.js +2 more

Timeline

PublishedDec 5

Latest updateNov 21

Description

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶NVDllhttp/llhttp< 6.0.10

▶CVEListV5nodejs/node4.0 — 4.*+14

▶NVDnodejs/node.js14.15.0 — 14.20.1+4

▶Debiannodejs< 12.22.12~dfsg-1~deb11u3+3

▶NVDsiemens/sinec_ins< 1.0+1

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

GHSA-rc2m-q589-vpqx: The llhttp parser in the http module in Node v18↗2022-12-06

▶

CVEList

CVE-2022-35256: The llhttp parser in the http module in Node v18↗2022-12-05

▶

OSV

CVE-2022-35256: The llhttp parser in the http module in Node v18↗2022-12-05

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-11-21

▶

Microsoft

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.↗2022-12-13

▶

Red Hat

nodejs: HTTP Request Smuggling due to incorrect parsing of header fields↗2022-09-23

▶

Debian

CVE-2022-35256: llhttp - The llhttp parser in the http module in Node v18.7.0 does not correctly handle h...↗2022

▶

💬Community

HackerOne

HTTP Request Smuggling Due to Incorrect Parsing of Header Fields↗2023-04-09

▶