CVE-2022-35256: XSS
First published: Fri Sep 23 2022(Updated: )
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <1:16.17.1-1.el9_0 | 1:16.17.1-1.el9_0 |
| redhat/nodejs | <1:16.18.1-3.el9_1 | 1:16.18.1-3.el9_1 |
| redhat/rh-nodejs14-nodejs | <0:14.20.1-2.el7 | 0:14.20.1-2.el7 |
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 | |
| redhat/NodeJS | <14.20.1 | 14.20.1 |
| redhat/Nodejs | <16.17.1 | 16.17.1 |
| redhat/Nodejs | <18.9.1 | 18.9.1 |
| redhat/llhttp | <6.0.10 | 6.0.10 |
| IBM Cognos Controller | <=11.0.0 - 11.0.1 | |
| Node.js | >=14.0.0<=14.14.0 | |
| Node.js | >=14.15.0<14.20.1 | |
| Node.js | >=16.0.0<=16.12.0 | |
| Node.js | >=16.13.0<16.17.1 | |
| Node.js | >=18.0.0<18.9.1 | |
| Llhttp Llhttp | <6.0.10 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| Siemens Sinec Ins | =1.0-sp2 | |
| Debian Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-35256 https://nvd.nist.gov/vuln/detail/CVE-2022-35256 https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
- https://bugzilla.redhat.com/show_bug.cgi?id=2130518
- https://access.redhat.com/errata/RHSA-2022:6964
- https://access.redhat.com/errata/RHSA-2022:7821
- https://access.redhat.com/errata/RHSA-2022:7830
- https://access.redhat.com/errata/RHSA-2023:1533
- https://access.redhat.com/errata/RHSA-2023:1742
- https://access.redhat.com/errata/RHSA-2022:6963
- https://access.redhat.com/errata/RHSA-2023:0321
- https://access.redhat.com/errata/RHSA-2022:7044
- https://access.redhat.com/security/cve/cve-2022-35256
- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
- https://hackerone.com/reports/1888760
- https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44
- https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0
- https://security-tracker.debian.org/tracker/CVE-2022-35256
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1675191
- https://www.debian.org/security/2023/dsa-5326
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130533
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130532
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130537
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130534
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130538
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130539
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130536
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130540
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130541
- https://www.ibm.com/support/pages/node/7177220 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this NodeJS vulnerability?
The vulnerability ID of this NodeJS vulnerability is CVE-2022-35256.
What is the severity of CVE-2022-35256?
The severity of CVE-2022-35256 is medium.
What is the affected software for CVE-2022-35256?
The affected software for CVE-2022-35256 is NodeJS versions 16.17.1-1.el9_0, 16.18.1-3.el9_1, 14.20.1, 16.17.1, and 18.9.1.
What is the description of CVE-2022-35256?
CVE-2022-35256 is a vulnerability in NodeJS due to improper validation of HTTP requests, allowing a remote attacker to send a potentially malicious request.
How can I fix CVE-2022-35256?
To fix CVE-2022-35256, it is recommended to update NodeJS to a version that includes the necessary security patches.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-35256
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm cognos controller
- version/ibm cognos controller/11.0.0 - 11.0.1
- vendor/nodejs
- canonical/node.js
- version/node.js/14.0.0
- version/node.js/14.14.0
- version/node.js/14.15.0
- version/node.js/16.0.0
- version/node.js/16.12.0
- version/node.js/16.13.0
- version/node.js/18.0.0
- vendor/llhttp
- canonical/llhttp llhttp
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- version/siemens sinec ins/1.0-sp2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0