CVE-2022-35256 Overview
CVE-2022-35256 is an HTTP Request Smuggling vulnerability in the llhttp parser used by the Node.js http module. The vulnerability occurs because the llhttp parser does not correctly handle header fields that are not terminated with CLRF (Carriage Return Line Feed). This parsing inconsistency can be exploited to smuggle malicious HTTP requests through security controls, potentially leading to cache poisoning, session hijacking, or bypassing authentication mechanisms.
Critical Impact
Attackers can exploit this HTTP Request Smuggling flaw to bypass security controls, poison web caches, and hijack user sessions in Node.js applications.
Affected Products
- Node.js v18.7.0 and related versions
- llhttp parser (Node.js module)
- Siemens SINEC INS (versions prior to 1.0 SP2 Update 1)
- Debian Linux 11.0
Discovery Timeline
- 2022-12-05 - CVE-2022-35256 published to NVD
- 2025-04-24 - Last updated in NVD database
Technical Details for CVE-2022-35256
Vulnerability Analysis
This vulnerability resides in the llhttp parser, which is responsible for parsing HTTP requests in Node.js applications. The root cause is improper handling of HTTP header fields that lack proper CLRF (Carriage Return Line Feed) termination sequences. According to HTTP specifications (RFC 7230), each header field must end with a CLRF sequence. However, the llhttp parser fails to strictly enforce this requirement, creating a parsing discrepancy.
HTTP Request Smuggling vulnerabilities (classified under CWE-444) exploit differences in how front-end and back-end servers interpret HTTP request boundaries. When the llhttp parser accepts improperly terminated headers, it may interpret request boundaries differently than other HTTP-processing components in the request chain, such as load balancers, reverse proxies, or web application firewalls.
This parsing inconsistency enables attackers to craft malicious requests that appear as a single request to front-end security devices but are interpreted as multiple requests by the Node.js back-end. The attack requires no authentication and can be executed remotely over the network.
Root Cause
The vulnerability stems from insufficient input validation in the llhttp parser's header field parsing logic. The parser fails to properly reject or handle HTTP header fields that do not conform to the CLRF termination requirement specified in RFC 7230. This lenient parsing behavior creates an opportunity for attackers to inject additional HTTP requests or manipulate request boundaries.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker sends specially crafted HTTP requests containing header fields without proper CLRF termination. When these requests pass through a chain of HTTP-processing components (such as a reverse proxy and a Node.js application server), the parsing discrepancy can result in:
- Request Smuggling: The attacker's malicious request is "smuggled" past front-end security controls
- Cache Poisoning: Malicious responses are cached and served to other users
- Session Hijacking: Requests are associated with other users' sessions
- Security Bypass: Web application firewalls and other security controls are circumvented
The vulnerability can be exploited by crafting HTTP requests with malformed header termination sequences, causing the llhttp parser to misinterpret where one request ends and another begins. Technical details of the exploitation technique are documented in the HackerOne Report #1675191.
Detection Methods for CVE-2022-35256
Indicators of Compromise
- Unusual HTTP requests with malformed header termination sequences in server logs
- Unexpected cache behavior or cache poisoning incidents
- Evidence of session manipulation or unauthorized access patterns
- Anomalous HTTP traffic patterns indicating request smuggling attempts
Detection Strategies
- Monitor HTTP traffic for requests containing non-standard header field terminations
- Implement deep packet inspection to identify HTTP parsing anomalies
- Deploy web application firewall rules specifically designed to detect HTTP Request Smuggling patterns
- Compare request interpretations between front-end and back-end servers to identify parsing discrepancies
Monitoring Recommendations
- Enable verbose HTTP request logging on Node.js applications to capture full request headers
- Monitor for Content-Length and Transfer-Encoding header inconsistencies
- Set up alerts for unusual patterns in HTTP response sizes or timing
- Implement application-level monitoring for session anomalies that may indicate successful exploitation
How to Mitigate CVE-2022-35256
Immediate Actions Required
- Update Node.js to the latest patched version immediately
- Review and update all affected Siemens SINEC INS installations to version 1.0 SP2 Update 1 or later
- Apply Debian security updates as outlined in DSA-5326
- Audit application logs for potential exploitation attempts
Patch Information
Security patches are available from multiple vendors. Node.js users should upgrade to a patched version that includes the llhttp parser fix. For Siemens SINEC INS, refer to the Siemens Security Advisory SSA-332410 for specific version guidance. Debian users should apply updates as described in Debian Security Advisory DSA-5326.
Workarounds
- Deploy a properly configured reverse proxy or load balancer that strictly validates HTTP header formatting before forwarding requests to Node.js
- Implement strict HTTP parsing at the network edge to reject requests with malformed header terminations
- Use web application firewalls with HTTP Request Smuggling detection capabilities
- Limit external network exposure of vulnerable Node.js applications until patching is complete
# Example: Check current Node.js version and update
node --version
# Update Node.js to latest LTS version
nvm install --lts
nvm use --lts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
