CVE-2022-35256

CVE-2022-35256

Name

CVE-2022-35256

Description

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://hackerone.com/reports/1675191
Third Party Advisory	https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Third Party Advisory	https://www.debian.org/security/2023/dsa-5326

Type

URI

MISC

https://hackerone.com/reports/1675191

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Third Party Advisory

https://www.debian.org/security/2023/dsa-5326

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 14.0.0	<= 14.14.0
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 16.0.0	<= 16.12.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 16.13.0	< 16.17.1
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 18.0.0	< 18.9.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 14.15.0	<= 14.20.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 14.0.0

<= 14.14.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 16.0.0

<= 16.12.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 16.13.0

< 16.17.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 18.0.0

< 18.9.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 14.15.0

<= 14.20.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs-current	edge-community	18.9.1-r0	Jose-Luis Rivas <ghostbar@riseup.net>	fixed
nodejs-current	3.22-community	18.9.1-r0	None	fixed
nodejs-current	3.21-community	18.9.1-r0	None	fixed
nodejs-current	3.20-community	18.9.1-r0	None	fixed
nodejs-current	3.19-community	18.9.1-r0	None	fixed
nodejs-current	3.18-community	18.9.1-r0	None	fixed
nodejs-current	3.17-community	18.9.1-r0	None	fixed
nodejs	edge-main	16.17.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	edge-main	16.17.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.13.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.6-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.5-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.16.1-r0	None	possibly vulnerable
nodejs	edge-main	14.16.0-r0	None	possibly vulnerable
nodejs	edge-main	14.15.5-r0	None	possibly vulnerable
nodejs	edge-main	14.15.4-r0	None	possibly vulnerable
nodejs	edge-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.22-main	16.17.1-r0	None	fixed
nodejs	3.22-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.22-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.22-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.22-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.21-main	16.17.1-r0	None	fixed
nodejs	3.21-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.21-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.21-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.21-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.20-main	16.17.1-r0	None	fixed
nodejs	3.20-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.20-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.20-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.20-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.19-main	16.17.1-r0	None	fixed
nodejs	3.19-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.19-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.19-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.19-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.18-main	16.17.1-r0	None	fixed
nodejs	3.17-main	16.17.1-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

nodejs-current

edge-community

18.9.1-r0

Jose-Luis Rivas <ghostbar@riseup.net>

fixed

nodejs-current

3.22-community

18.9.1-r0

None

fixed

nodejs-current

3.21-community

18.9.1-r0

None

fixed

nodejs-current

3.20-community

18.9.1-r0

None

fixed

nodejs-current

3.19-community

18.9.1-r0

None

fixed

nodejs-current

3.18-community

18.9.1-r0

None

fixed

nodejs-current

3.17-community

18.9.1-r0

None

fixed

nodejs

edge-main

16.17.1-r0