CVE-2022-35256
Publication date 5 December 2022
Last updated 25 August 2025
Ubuntu priority
Description
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nodejs | ||
| 22.04 LTS jammy |
Fixed 12.22.9~dfsg-1ubuntu3.2
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6491-1
- Node.js vulnerabilities
- 21 November 2023