ALT-PU-2022-3235-2
Closed vulnerabilities
Modified: 2024-09-13
BDU:2022-04390
Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"
BDU:2022-04391
Уязвимость библиотеки providers.dll программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код
Modified: 2026-01-20
BDU:2022-06821
Уязвимость реализации параметра --inspect программного средства работы с объектами Node.js, позволяющей нарушителю выполнить произвольный код
BDU:2023-00348
Уязвимость анализатора HTTP-кода llhttp программного обеспечения для управления сетевой инфраструктурой SINEC INS (Infrastructure Network Services), позволяющая нарушителю выполнить произвольный код
Modified: 2026-01-20
BDU:2024-07321
Уязвимость функции IsIPAddress() программной платформы Node.js, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Modified: 2024-11-21
CVE-2022-32213
The llhttp parser
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1524555
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1524555
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
Modified: 2024-11-21
CVE-2022-32214
The llhttp parser
- https://hackerone.com/reports/1524692
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
- https://hackerone.com/reports/1524692
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
Modified: 2024-11-21
CVE-2022-32215
The llhttp parser
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1501679
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1501679
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.debian.org/security/2023/dsa-5326
Modified: 2024-11-21
CVE-2022-32223
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
- https://hackerone.com/reports/1447455
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220915-0001/
- https://hackerone.com/reports/1447455
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220915-0001/
Modified: 2025-04-24
CVE-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Modified: 2025-04-24
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
- https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20230120-0004/
- https://security.netapp.com/advisory/ntap-20230427-0007/
- https://www.debian.org/security/2023/dsa-5326
- https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20230120-0004/
- https://security.netapp.com/advisory/ntap-20230427-0007/
- https://www.debian.org/security/2023/dsa-5326
Modified: 2023-07-11
GHSA-5689-v88g-g6rv
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
- https://nvd.nist.gov/vuln/detail/CVE-2022-32213
- https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
- https://hackerone.com/reports/1524555
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
- https://security.netapp.com/advisory/ntap-20220915-0001
- https://www.debian.org/security/2023/dsa-5326
Modified: 2023-07-11
GHSA-q5vx-44v4-gch4
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
- https://nvd.nist.gov/vuln/detail/CVE-2022-32214
- https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
- https://hackerone.com/reports/1524692
- https://datatracker.ietf.org/doc/html/rfc7230#section-3
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
- https://security.netapp.com/advisory/ntap-20220915-0001
- https://www.debian.org/security/2023/dsa-5326