Search for vulnerabilities
Vulnerability details: VCID-ghcc-kqdm-nkem
Vulnerability ID VCID-ghcc-kqdm-nkem
Aliases CVE-2022-35256
Summary The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35256.json
epss 0.03906 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.03906 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.03906 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
epss 0.04594 https://api.first.org/data/v1/epss?cve=CVE-2022-35256
cvssv3.1 6.5 https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
ssvc Track https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.5 https://hackerone.com/reports/1675191
ssvc Track https://hackerone.com/reports/1675191
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-35256
cvssv3.1 6.5 https://www.debian.org/security/2023/dsa-5326
ssvc Track https://www.debian.org/security/2023/dsa-5326
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35256.json
https://api.first.org/data/v1/epss?cve=CVE-2022-35256
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://www.debian.org/security/2023/dsa-5326
1675191 https://hackerone.com/reports/1675191
2130518 https://bugzilla.redhat.com/show_bug.cgi?id=2130518
977716 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977716
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
CVE-2022-35256 https://nvd.nist.gov/vuln/detail/CVE-2022-35256
RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963
RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964
RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821
RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321
RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
USN-6491-1 https://usn.ubuntu.com/6491-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35256.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T13:21:44Z/ Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://hackerone.com/reports/1675191
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T13:21:44Z/ Found at https://hackerone.com/reports/1675191
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-35256
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.debian.org/security/2023/dsa-5326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T13:21:44Z/ Found at https://www.debian.org/security/2023/dsa-5326
Exploit Prediction Scoring System (EPSS)
Percentile 0.87924
EPSS Score 0.03906
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:28:57.928657+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.17/main.json 37.0.0