Bug 2130518 (CVE-2022-35256) - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
Summary: CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of hea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-35256
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2130533 2130534 2130536 2130537 2130538 2130539 2130540 2130541 2130569 2130570 2130571 2130572 2130573 2132003 2130532 2130574 2131745 2131746 2131747 2131748 2131749 2131750 2132004 2132732
Blocks: 2130576
TreeView+ depends on / blocked
 
Reported: 2022-09-28 13:14 UTC by TEJ RATHI
Modified: 2023-01-23 15:19 UTC (History)
19 users (show)

Fixed In Version: NodeJS 14.20.1, Nodejs 16.17.1, Nodejs 18.9.1, llhttp 6.0.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Clone Of:
Environment:
Last Closed: 2022-12-04 07:33:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7142 0 None None None 2022-10-25 09:06:11 UTC
Red Hat Product Errata RHSA-2022:6963 0 None None None 2022-10-17 07:17:07 UTC
Red Hat Product Errata RHSA-2022:6964 0 None None None 2022-10-17 07:26:22 UTC
Red Hat Product Errata RHSA-2022:7044 0 None None None 2022-10-19 10:11:15 UTC
Red Hat Product Errata RHSA-2022:7821 0 None None None 2022-11-08 11:30:35 UTC
Red Hat Product Errata RHSA-2022:7830 0 None None None 2022-11-08 11:33:22 UTC
Red Hat Product Errata RHSA-2023:0321 0 None None None 2023-01-23 15:19:20 UTC

Description TEJ RATHI 2022-09-28 13:14:24 UTC
The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Impacts:
All versions of the 18.x, 16.x, and 14.x release lines.
llhttp v6.0.10 contains the fixes that were updated inside Node.js

Comment 1 TEJ RATHI 2022-09-28 13:34:49 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130533]
Affects: fedora-all [bug 2130532]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130537]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130534]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130538]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130539]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130536]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130540]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130541]

Comment 6 errata-xmlrpc 2022-10-17 07:17:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963

Comment 7 errata-xmlrpc 2022-10-17 07:26:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964

Comment 9 errata-xmlrpc 2022-10-19 10:11:12 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044

Comment 10 errata-xmlrpc 2022-11-08 11:30:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821

Comment 11 errata-xmlrpc 2022-11-08 11:33:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830

Comment 12 Product Security DevOps Team 2022-12-04 07:33:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35256

Comment 13 errata-xmlrpc 2023-01-23 15:19:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321


Note You need to log in before you can comment on or make changes to this bug.