2130518 – (CVE-2022-35256) CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

Bug 2130518 (CVE-2022-35256) - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

Summary: CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of hea...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-35256
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2130533 2130534 2130536 2130537 2130538 2130539 2130540 2130541 2130569 2130570 2130571 2130572 2130573 2132003 2130532 2130574 2131745 2131746 2131747 2131748 2131749 2131750 2132004 2132732
Blocks:	2130576
TreeView+	depends on / blocked

Reported:	2022-09-28 13:14 UTC by TEJ RATHI
Modified:	2023-01-23 15:19 UTC (History)
CC List:	19 users (show)
Fixed In Version:	NodeJS 14.20.1, Nodejs 16.17.1, Nodejs 18.9.1, llhttp 6.0.10
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Clone Of:
Environment:
Last Closed:	2022-12-04 07:33:15 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:7142	None	None	None	2022-10-25 09:06:11 UTC
Red Hat Product Errata	RHSA-2022:6963	None	None	None	2022-10-17 07:17:07 UTC
Red Hat Product Errata	RHSA-2022:6964	None	None	None	2022-10-17 07:26:22 UTC
Red Hat Product Errata	RHSA-2022:7044	None	None	None	2022-10-19 10:11:15 UTC
Red Hat Product Errata	RHSA-2022:7821	None	None	None	2022-11-08 11:30:35 UTC
Red Hat Product Errata	RHSA-2022:7830	None	None	None	2022-11-08 11:33:22 UTC
Red Hat Product Errata	RHSA-2023:0321	None	None	None	2023-01-23 15:19:20 UTC

Description TEJ RATHI 2022-09-28 13:14:24 UTC

The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Impacts:
All versions of the 18.x, 16.x, and 14.x release lines.
llhttp v6.0.10 contains the fixes that were updated inside Node.js

Comment 1 TEJ RATHI 2022-09-28 13:34:49 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130533]
Affects: fedora-all [bug 2130532]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130537]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130534]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130538]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130539]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130536]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130540]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130541]

Comment 6 errata-xmlrpc 2022-10-17 07:17:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963

Comment 7 errata-xmlrpc 2022-10-17 07:26:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964

Comment 9 errata-xmlrpc 2022-10-19 10:11:12 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044

Comment 10 errata-xmlrpc 2022-11-08 11:30:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821

Comment 11 errata-xmlrpc 2022-11-08 11:33:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830

Comment 12 Product Security DevOps Team 2022-12-04 07:33:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35256

Comment 13 errata-xmlrpc 2023-01-23 15:19:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321

Note You need to log in before you can comment on or make changes to this bug.