CVE-2022-35256

NameCVE-2022-35256
DescriptionThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5326-1
Debian Bugs977716

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2vulnerable
stretch4.8.2~dfsg-1vulnerable
buster10.24.0~dfsg-1~deb10u1fixed
buster (security)10.24.0~dfsg-1~deb10u4fixed
bullseye (security), bullseye12.22.12~dfsg-1~deb11u4fixed
bookworm18.13.0+dfsg1-1fixed
bookworm (security)18.19.0+dfsg-6~deb12u1fixed
sid, trixie18.20.1+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpITP977716
nodejssourcejessie(unfixed)end-of-life
nodejssourcestretch(unfixed)end-of-life
nodejssourcebuster(not affected)
nodejssourcebullseye12.22.12~dfsg-1~deb11u3DSA-5326-1
nodejssource(unstable)18.10.0+dfsg-1

Notes

[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://hackerone.com/reports/1888760
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1)

Search for package or bug name: Reporting problems