CVE-2022-35256 (llhttp) found on v14.x #92
Comments
|
Any idea why this has just popped up now? FWIW I'm preparing a Node.js 14 release for Tuesday but there are no llhttp commits in the proposal: nodejs/node#45775 |
|
Is this an error in https://nvd.nist.gov/vuln/detail/CVE-2022-35256? Maybe stemming from https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256?
Node.js was updated to llhttp 2.1.6 by nodejs/node@a9f1146 as part of those same security releases. I believe there were semver reasons why Node.js 14 is not on a later llhttp semver major. |
|
cc: @ShogunPanda |
|
My understanding is that there is a mistake on that CVE as llhttp v2.1.6 contains those fixes. |
|
We have asked how we get the CVE updated, but based on our understanding as outlined by @mcollina above this does not affect current Node.js versions. |
|
Node 14 uses llhttp 2.1.x so I confirm this is not valid. |
|
Closing out as 14.x is EOL |
A new vulnerability for llhttp 2.1.6 was found:
Vulnerability ID: CVE-2022-35256
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2022-35256
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/3653206934
The text was updated successfully, but these errors were encountered: