{"id":"CVE-2022-35256","details":"The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.","aliases":["BIT-node-2022-35256","BIT-node-min-2022-35256"],"modified":"2026-04-16T00:04:46.946277670Z","published":"2022-12-05T22:15:10.570Z","related":["ALSA-2022:6963","ALSA-2022:6964","ALSA-2022:7821","ALSA-2022:7830","ALSA-2023:0321","CGA-hp42-xc84-ghf7","SUSE-SU-2022:3503-1","SUSE-SU-2022:3516-1","SUSE-SU-2022:3524-1","SUSE-SU-2022:3614-1","SUSE-SU-2022:3615-1","SUSE-SU-2022:3616-1","SUSE-SU-2022:3656-1","SUSE-SU-2022:3835-1","SUSE-SU-2023:0408-1","SUSE-SU-2023:0419-1","openSUSE-SU-2024:12370-1","openSUSE-SU-2024:12376-1"],"references":[{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"},{"type":"ADVISORY","url":"https://hackerone.com/reports/1675191"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5326"},{"type":"REPORT","url":"https://hackerone.com/reports/1675191"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/1675191"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"0"},{"fixed":"9c812eba2945d6d1ceca6fa2f1a9744d7f2f0029"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35256.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}