The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0414.

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

Vendors Products
Debian
  • Debian Linux
Llhttp
  • Llhttp
Nodejs
  • Node.js
Redhat
  • Enterprise Linux
  • Rhel Eus
  • Rhel Software Collections
Siemens
  • Sinec Ins

Configuration 1 [-]

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 [-]

cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*

Configuration 3 [-]

OR cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
nodejs:16-8060020221007164523.ad008a3a cpe:/a:redhat:enterprise_linux:8 RHSA-2022:6964 2022-10-17T00:00:00Z
nodejs:18-8070020221004121421.bd1311ed cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7821 2022-11-08T00:00:00Z
nodejs:14-8070020221020110846.bd1311ed cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7830 2022-11-08T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
nodejs:14-8040020230306170312.522a0ee4 cpe:/a:redhat:rhel_eus:8.4 RHSA-2023:1533 2023-03-30T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
nodejs:14-8060020230306170237.ad008a3a cpe:/a:redhat:rhel_eus:8.6 RHSA-2023:1742 2023-04-12T00:00:00Z
Red Hat Enterprise Linux 9
nodejs-1:16.17.1-1.el9_0 cpe:/a:redhat:enterprise_linux:9 RHSA-2022:6963 2022-10-18T00:00:00Z
nodejs-1:16.18.1-3.el9_1 cpe:/a:redhat:enterprise_linux:9 RHSA-2023:0321 2023-01-23T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.20.1-2.el7 cpe:/a:redhat:rhel_software_collections:3::el7 RHSA-2022:7044 2022-10-19T00:00:00Z

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5326-1 nodejs security update
EUVD EUVD EUVD-2022-38147 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Ubuntu USN Ubuntu USN USN-6491-1 Node.js vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf cve-icon cve-icon
https://hackerone.com/reports/1675191 cve-icon cve-icon
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256 cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2022-35256 cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-35256 cve-icon
https://www.debian.org/security/2023/dsa-5326 cve-icon cve-icon
History

Thu, 24 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2025-04-30T22:24:47.709Z

Reserved: 2022-07-06T00:00:00.000Z

Link: CVE-2022-35256

cve-icon Vulnrichment

Updated: 2024-08-03T09:29:17.444Z

cve-icon NVD

Status : Modified

Published: 2022-12-05T22:15:10.570

Modified: 2025-04-24T14:15:32.277

Link: CVE-2022-35256

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-09-23T00:00:00Z

Links: CVE-2022-35256 - Bugzilla

cve-icon OpenCVE Enrichment

No data.