CVE-2022-35256

NameCVE-2022-35256
DescriptionThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5326-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
llhttp (PTS)sid9.3.3~really9.3.0+~cs12.11.8-3fixed
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u7fixed
bookworm, bookworm (security)18.20.4+dfsg-1~deb12u1fixed
forky, trixie20.19.2+dfsg-1fixed
sid20.19.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpsource(unstable)(not affected)
nodejssourcebuster(not affected)
nodejssourcebullseye12.22.12~dfsg-1~deb11u3DSA-5326-1
nodejssource(unstable)18.10.0+dfsg-1

Notes

[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
- llhttp <not-affected> (Fixed before initial upload to Debian)
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://hackerone.com/reports/1888760
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1)

Search for package or bug name: Reporting problems