PT-2022-6180 · Node.Js+8 · Node+8

Vvx7

·

Published

2022-09-23

·

Updated

2026-05-18

·

CVE-2022-35256

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Node versions 18.7.0
Description The issue is related to the llhttp parser in the http module, which does not correctly handle header fields that are not terminated with CLRF, potentially resulting in HTTP Request Smuggling. There is also a mention of a vulnerability in the SINEC INS software related to bypassing the authentication mechanism, allowing a remote attacker to execute arbitrary code.
Recommendations For Node version 18.7.0, update to a newer version to mitigate the risk of HTTP Request Smuggling. As a temporary workaround, consider restricting the handling of header fields that are not terminated with CLRF until a patch is available.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2022:6963
ALSA-2022:6964
ALSA-2022:7821
ALSA-2022:7830
ALSA-2023:0321
ALT-PU-2022-2701
ALT-PU-2022-3073
ALT-PU-2022-3235
ALT-PU-2023-1461
AZL-31039
AZL-35235
BDU:2023-00348
BIT-NODE-2022-35256
BIT-NODE-MIN-2022-35256
CESA-2022_6964
CESA-2022_7821
CESA-2022_7830
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2022-35256
DSA-5326-1
MGASA-2022-0354
OESA-2023-1551
OPENSUSE-SU-2022_3614-1
OPENSUSE-SU-2022_3615-1
OPENSUSE-SU-2022_3616-1
OPENSUSE-SU-2022_3656-1
OPENSUSE-SU-2022_3835-1
OPENSUSE-SU-2023_0419-1
OPENSUSE-SU-2024:12370-1
OPENSUSE-SU-2024:12376-1
RHSA-2022:6963
RHSA-2022:6964
RHSA-2022:7044
RHSA-2022:7821
RHSA-2022:7830
RHSA-2022_6963
RHSA-2022_6964
RHSA-2022_7821
RHSA-2022_7830
RHSA-2023:0321
RHSA-2023:1533
RHSA-2023:1742
RHSA-2023_0321
RLSA-2022:6963
RLSA-2022:6964
RLSA-2022:7821
RLSA-2022:7830
RLSA-2023:0321
SUSE-SU-2022:3503-1
SUSE-SU-2022:3516-1
SUSE-SU-2022:3524-1
SUSE-SU-2022:3614-1
SUSE-SU-2022:3615-1
SUSE-SU-2022:3616-1
SUSE-SU-2022:3656-1
SUSE-SU-2022:3835-1
SUSE-SU-2023:0408-1
SUSE-SU-2023:0419-1
USN-6491-1

Affected Products

Alt Linux
Almalinux
Centos
Linuxmint
Node
Red Hat
Rocky Linux
Suse
Ubuntu