HTTP Request Smuggling Affecting nodejs-full-i18n package, versions <1:16.18.1-3.el9_1
Threat Intelligence
EPSS
0.26% (67th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL9-NODEJSFULLI18N-3035552
- published 29 Sep 2022
- disclosed 23 Sep 2022
Introduced: 23 Sep 2022
CVE-2022-35256 Open this link in a new tabHow to fix?
Upgrade RHEL:9 nodejs-full-i18n to version 1:16.18.1-3.el9_1 or higher.
This issue was patched in RHSA-2023:0321.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nodejs-full-i18n package and not the nodejs-full-i18n package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVSS Scores
version 3.1