CVE-2022-35256

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-35256
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35256.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-35256
Aliases
Downstream
Related
Published
2022-12-05T22:15:10.570Z
Modified
2026-02-04T21:57:51.019402Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
40ecd5601193c316e62e9216e8a4259130686208
Fixed
6b06e89c7dfccec6792008302af1cee57649445c
Fixed
b82bb600370db7207a39e53329af228f6af3ffa1
Introduced
c1da528bc25c9cc5a8240a7b4f136f5968f6e113
Fixed
c11b8215bd6388854efcc9302a7383c8c63b8127
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Fixed
df3ed1e89299e4c8f006fc20e22265a889c97919

Affected versions

v14.*
v14.15.0
v16.*
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0
v18.*
v18.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35256.json"