CVE-2022-35256 - Vulnerability Details

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Llhttp	Llhttp
Nodejs	Node.js
Redhat	Enterprise Linux Rhel Eus Rhel Software Collections
Siemens	Sinec Ins

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 [-]

cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*

Configuration 3 [-]

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp2::::::

Configuration 4 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
nodejs:16-8060020221007164523.ad008a3a	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:6964	2022-10-17T00:00:00Z
nodejs:18-8070020221004121421.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7821	2022-11-08T00:00:00Z
nodejs:14-8070020221020110846.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7830	2022-11-08T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
nodejs:14-8040020230306170312.522a0ee4	cpe:/a:redhat:rhel_eus:8.4	RHSA-2023:1533	2023-03-30T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
nodejs:14-8060020230306170237.ad008a3a	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:1742	2023-04-12T00:00:00Z
Red Hat Enterprise Linux 9
nodejs-1:16.17.1-1.el9_0	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:6963	2022-10-18T00:00:00Z
nodejs-1:16.18.1-3.el9_1	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:0321	2023-01-23T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.20.1-2.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2022:7044	2022-10-19T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1675191
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://nvd.nist.gov/vuln/detail/CVE-2022-35256
https://www.cve.org/CVERecord?id=CVE-2022-35256
https://www.debian.org/security/2023/dsa-5326

History

Thu, 24 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-12-05T00:00:00.000Z

Updated: 2025-04-30T22:24:47.709Z

Reserved: 2022-07-06T00:00:00.000Z

Link: CVE-2022-35256

Vulnrichment

Updated: 2024-08-03T09:29:17.444Z

NVD

Status : Modified

Published: 2022-12-05T22:15:10.570

Modified: 2025-04-24T14:15:32.277

Link: CVE-2022-35256

Redhat

Severity : Moderate

Publid Date: 2022-09-23T00:00:00Z

Links: CVE-2022-35256 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object