Vulnerability Description
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVSS Score
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 14.0.0, <= 14.14.0 |
| Llhttp | Llhttp | < 6.0.10 |
| Siemens | Sinec Ins | < 1.0 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://hackerone.com/reports/1675191ExploitIssue TrackingThird Party Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://hackerone.com/reports/1675191ExploitIssue TrackingThird Party Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory
FAQ
What is CVE-2022-35256?
CVE-2022-35256 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
How severe is CVE-2022-35256?
CVE-2022-35256 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35256?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Llhttp Llhttp, Siemens Sinec Ins, Debian Debian Linux.