CVE-2022-35256

Published: 12/5/2022 Last updated: 4/30/2025 Reserved: 7/6/2022

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	6.5	Medium	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	Version 1809 for 32-bit Systems

References (6)

https://hackerone.com/reports/1675191
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://www.debian.org/security/2023/dsa-5326
https://hackerone.com/reports/1675191
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://www.debian.org/security/2023/dsa-5326