Unrated severityNVD Advisory· Published Dec 5, 2022· Updated Apr 30, 2025
CVE-2022-35256
CVE-2022-35256
Description
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Affected products
43- osv-coords42 versionspkg:apk/chainguard/py3.10-llhttppkg:apk/chainguard/py3.11-llhttppkg:apk/chainguard/py3.12-llhttppkg:apk/chainguard/py3-llhttppkg:apk/chainguard/py3-supported-llhttppkg:apk/wolfi/py3.10-llhttppkg:apk/wolfi/py3.11-llhttppkg:apk/wolfi/py3.12-llhttppkg:apk/wolfi/py3-llhttppkg:apk/wolfi/py3-supported-llhttppkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4
< 9.3.0.0-r0+ 41 more
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: < 9.3.0.0-r0
- (no CPE)range: >= 14.0.0, < 14.14.1
- (no CPE)range: >= 14.0.0, < 14.14.1
- (no CPE)range: < 1:16.17.1-1.el9_0
- (no CPE)range: < 1:16.17.1-1.module_el8.6.0+3328+2e4711d7
- (no CPE)range: < 1:16.17.1-1.el9_0
- (no CPE)range: < 1:16.17.1-1.el9_0
- (no CPE)range: < 1:16.17.1-1.el9_0
- (no CPE)range: < 2.0.19-2.module_el8.6.0+3261+490666b3
- (no CPE)range: < 25-1.module_el8.5.0+2605+45d748af
- (no CPE)range: < 2021.06-4.module_el8.7.0+3343+ea2b7901
- (no CPE)range: < 1:8.15.0-1.16.17.1.1.el9_0
- (no CPE)range: < 10.24.1-150000.1.50.1
- (no CPE)range: < 10.24.1-150000.1.50.1
- (no CPE)range: < 12.22.12-150200.4.38.1
- (no CPE)range: < 12.22.12-150200.4.38.1
- (no CPE)range: < 14.20.1-150200.15.37.1
- (no CPE)range: < 14.20.1-150200.15.37.1
- (no CPE)range: < 16.17.1-150300.7.12.1
- (no CPE)range: < 16.17.1-150400.3.9.1
- (no CPE)range: < 16.17.1-1.1
- (no CPE)range: < 18.13.0-150400.9.3.1
- (no CPE)range: < 18.13.0-150400.9.3.1
- (no CPE)range: < 18.10.0-1.1
- (no CPE)range: < 12.22.12-1.54.1
- (no CPE)range: < 12.22.12-150200.4.38.1
- (no CPE)range: < 14.20.1-6.34.1
- (no CPE)range: < 14.20.1-150200.15.37.1
- (no CPE)range: < 16.17.1-8.12.1
- (no CPE)range: < 16.17.1-150300.7.12.1
- (no CPE)range: < 16.17.1-150400.3.9.1
- (no CPE)range: < 18.13.0-8.3.1
- (no CPE)range: < 18.13.0-150400.9.3.1
Patches
Vulnerability mechanics
References
3- www.debian.org/security/2023/dsa-5326mitrevendor-advisory
- cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfmitre
- hackerone.com/reports/1675191mitre
News mentions
0No linked articles in our index yet.