Описание
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| nodejs | fixed | 18.10.0+dfsg-1 | package | |
| nodejs | not-affected | buster | package | |
| llhttp | itp | package |
Примечания
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
https://hackerone.com/reports/1888760
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1)
EPSS
Связанные уязвимости
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
EPSS