CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

References

Affected packages

Git / github.com/nodejs/llhttp

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/llhttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

07cf037a904240a3a095d796f6e61ed2f563a8fb

Affected versions

v1.*

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v3.*

v3.0.0

v4.*

v4.0.0

v5.*

v5.0.0

v5.1.0

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.8

v6.0.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35256.json"

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

c1da528bc25c9cc5a8240a7b4f136f5968f6e113

Fixed

c11b8215bd6388854efcc9302a7383c8c63b8127

Affected versions

v14.*

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.18.3

v14.19.0

v14.19.1

v14.19.2

v14.19.3

v14.20.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35256.json"