CVE-2022-35256 - Vulnerability Details

Description

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Published: 2022-12-05

Score: 6.5 Medium

EPSS: 3.9% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NodeJS

Node

unaffected

Version	Status	Constraints
`4.0`	affected	< 4.*
`5.0`	affected	< 5.*
`6.0`	affected	< 6.*
`7.0`	affected	< 7.*
`8.0`	affected	< 8.*
`9.0`	affected	< 9.*
`10.0`	affected	< 10.*
`11.0`	affected	< 11.*
`12.0`	affected	< 12.*
`13.0`	affected	< 13.*
`14.0`	affected	< 14.20.1
`15.0`	affected	< 15.*
`16.0`	affected	< 16.17.1
`17.0`	affected	< 17.*
`18.0`	affected	< 18.9.1

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 [-]

cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*

Configuration 3 [-]

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp2::::::

Configuration 4 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
nodejs:16-8060020221007164523.ad008a3a	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:6964	2022-10-17T00:00:00Z
nodejs:18-8070020221004121421.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7821	2022-11-08T00:00:00Z
nodejs:14-8070020221020110846.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7830	2022-11-08T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
nodejs:14-8040020230306170312.522a0ee4	cpe:/a:redhat:rhel_eus:8.4	RHSA-2023:1533	2023-03-30T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
nodejs:14-8060020230306170237.ad008a3a	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:1742	2023-04-12T00:00:00Z
Red Hat Enterprise Linux 9
nodejs-1:16.17.1-1.el9_0	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:6963	2022-10-18T00:00:00Z
nodejs-1:16.18.1-3.el9_1	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:0321	2023-01-23T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.20.1-2.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2022:7044	2022-10-19T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-5326-1	nodejs security update
EUVD	EUVD-2022-38147	The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Ubuntu USN	USN-6491-1	Node.js vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03945.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1675191
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://nvd.nist.gov/vuln/detail/CVE-2022-35256
https://www.cve.org/CVERecord?id=CVE-2022-35256
https://www.debian.org/security/2023/dsa-5326

History

Thu, 24 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Debian Debian Linux

Llhttp Llhttp

Nodejs Node.js

Redhat Enterprise Linux Rhel Eus Rhel Software Collections

Siemens Sinec Ins

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-12-05T00:00:00.000Z

Updated: 2025-04-30T22:24:47.709Z

Reserved: 2022-07-06T00:00:00.000Z

Link: CVE-2022-35256

Vulnrichment

Updated: 2024-08-03T09:29:17.444Z

NVD

Status : Modified

Published: 2022-12-05T22:15:10.570

Modified: 2025-04-24T14:15:32.277

Link: CVE-2022-35256

Redhat

Severity : Moderate

Publid Date: 2022-09-23T00:00:00Z

Links: CVE-2022-35256 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-444

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object