CVE-2022-35256 | SynScan

Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Published: Dec 5, 2022
Updated: May 10, 2024
CVE: CVE-2022-35256
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
nodejs / node.js	14.0.0	14.14.0.x
nodejs / node.js	16.0.0	16.12.0.x
nodejs / node.js	16.13.0	16.17.1
nodejs / node.js	18.0.0	18.9.1
llhttp / llhttp	-	6.0.10
siemens / sinec_ins	1.0-sp1	1.0-sp1.x
siemens / sinec_ins	-	1.0
siemens / sinec_ins	1.0	1.0.x
siemens / sinec_ins	1.0-sp2	1.0-sp2.x
debian / debian_linux	11.0	11.0.x
nodejs / node.js	14.15.0	14.20.1