CVE-2022-35256

CVSS v3.1 6.5 (Medium)

EPSS 0.26 % (66^th)

Affected Products 4

Advisories 37

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Weaknesses

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2022-12-05 22:15:10
(21 months ago)
Updated Date: 2023-05-12 13:30:33
(16 months ago)

Affected Products

Debian

Debian Linux

Llhttp

Llhttp

Nodejs

Node.js

Siemens

Sinec Ins

Configuration #1

		CPE23	From	Up To
	Nodejs Node.js from 14.0.0 version and 14.14.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	<= 14.14.0
	Nodejs Node.js from 14.15.0 version and prior 14.20.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 14.15.0	< 14.20.1
	Nodejs Node.js from 16.0.0 version and 16.12.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	<= 16.12.0
	Nodejs Node.js from 16.13.0 version and prior 16.17.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 16.13.0	< 16.17.1
	Nodejs Node.js from 18.0.0 version and prior 18.9.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	< 18.9.1

Configuration #2

		CPE23	From	Up To
	Llhttp for Node.js prior 6.0.10 version	cpe:2.3:a:llhttp:llhttp::::::node.js		< 6.0.10

Configuration #3

		CPE23	From	Up To
	Siemens Sinec Ins prior 1.0 version	cpe:2.3:a:siemens:sinec_ins		< 1.0
	Siemens Sinec Ins 1.0	cpe:2.3:a:siemens:sinec_ins:1.0:-
	Siemens Sinec Ins 1.0 SP1	cpe:2.3:a:siemens:sinec_ins:1.0:sp1
	Siemens Sinec Ins 1.0 SP2	cpe:2.3:a:siemens:sinec_ins:1.0:sp2

Configuration #4

		CPE23	From	Up To
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0