BIT-node-2022-35256

BIT-node-2022-35256 PUBLISHED CVSS 6.5 MEDIUM

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Bitnami	node	14.0.0, 14.15.0, 16.0.0

Exploit Intelligence

https://hackerone.com/reports/1675191 (osv)

Timeline

Mar 6, 2024 CVE Published
Apr 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf url
https://hackerone.com/reports/1675191 url
https://www.debian.org/security/2023/dsa-5326 url
https://nvd.nist.gov/vuln/detail/CVE-2022-35256 url

Open in Interactive Console →