CVE-2022-35256: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

December 5, 2022 (updated May 12, 2023)

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

References

hackerone.com/reports/1675191
nvd.nist.gov/vuln/detail/CVE-2022-35256

Code Behaviors & Features

Detect and mitigate CVE-2022-35256 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →