CVE-2022-35256

moderate-risk

Published 2022-12-05

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Do I need to act?

3.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (8)

Node.Js

Llhttp

Sinec Ins

Debian Linux

Affected Vendors

Debian Siemens Nodejs Llhttp

References (6)

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Exploit https://hackerone.com/reports/1675191

Third Party Advisory https://www.debian.org/security/2023/dsa-5326

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Exploit https://hackerone.com/reports/1675191

Third Party Advisory https://www.debian.org/security/2023/dsa-5326

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 7/34 · Low

Exposure 14/34 · Moderate