CVE-2022-35256

MEDIUM

Nodejs Node.js < 14.14.0 - HTTP Request Smuggling

Title source: rule

Description

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

References (3)

[Third Party Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/1675191

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5326

Scores

CVSS v3 6.5

EPSS 0.0394

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-444

Status published

Affected Products (8)

nodejs/node.js < 14.14.0

nodejs/node.js < 14.20.1

llhttp/llhttp < 6.0.10

siemens/sinec_ins < 1.0

siemens/sinec_ins

debian/debian_linux

Timeline

Published Dec 05, 2022

Tracked Since Feb 18, 2026