CVE-2022-35256

NameCVE-2022-35256
DescriptionThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5326-1
Debian Bugs977716

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)buster10.24.0~dfsg-1~deb10u1fixed
buster (security)10.24.0~dfsg-1~deb10u2fixed
bullseye12.22.5~dfsg-2~11u1vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u3fixed
bookworm, sid18.13.0+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpITP977716
nodejssourcebuster(not affected)
nodejssourcebullseye12.22.12~dfsg-1~deb11u3DSA-5326-1
nodejssource(unstable)18.10.0+dfsg-1

Notes

[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1)

Search for package or bug name: Reporting problems