CVE-2022-35256
6.5
MEDIUM
CVSS 3.1
EPSS 3.7%
Description
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
How to fix CVE-2022-35256
To remediate CVE-2022-35256, upgrade the affected package to a fixed version below.
- Alpine/nodejs—upgrade to 14.20.1-r0 or later
- Bitnami/node—upgrade to 14.14.1 or later
- —upgrade to 14.14.1 or later
- —upgrade to 12.22.12~dfsg-1~deb11u3 or later
Is CVE-2022-35256 being exploited?
Low — EPSS is 3.7%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 14.20.1-r0
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- from 0, < 12.22.12~dfsg-1~deb11u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |