The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf | Third Party Advisory |
https://hackerone.com/reports/1675191 | Exploit Issue Tracking Third Party Advisory |
https://www.debian.org/security/2023/dsa-5326 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
01 Mar 2023, 15:04
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-05 22:15
Updated : 2024-02-04 23:14
NVD link : CVE-2022-35256
Mitre link : CVE-2022-35256
CVE.ORG link : CVE-2022-35256
JSON object : View
Products Affected
nodejs
- node.js
siemens
- sinec_ins
llhttp
- llhttp
debian
- debian_linux
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')