Node.js HTTP Request Smuggling (CVE-2022-35256): Anatomy of a Parsing Flaw in llhttp

HTTP request smuggling attacks have made headlines for their ability to subvert application logic, poison caches, and bypass security controls in even the most robust web architectures. In late 2022, a parsing flaw in Node.js’s llhttp module (CVE-2022-35256) brought this threat to the core of one of the world’s most popular server-side runtimes, with ripple effects across enterprise, cloud, and industrial IoT deployments.

Introduction

In December 2022, security teams at Siemens and other major vendors scrambled to patch a subtle but dangerous vulnerability in Node.js’s HTTP stack. Attackers were able to slip malicious HTTP requests past front-end proxies and into backend Node.js servers, exploiting a parsing inconsistency in the llhttp library. This vulnerability, tracked as CVE-2022-35256, enabled HTTP Request Smuggling—a technique notorious for its ability to bypass authentication, poison caches, and compromise sensitive data. The flaw was present in Node.js versions 14.x before 14.20.1, 16.x before 16.17.1, and 18.x before 18.9.1, affecting a vast swath of the modern web and industrial control systems.

About the Involved Parties:

Node.js is the world’s leading server-side JavaScript runtime, with millions of deployments powering web apps, APIs, and IoT platforms. Its ecosystem is foundational to modern web infrastructure.
llhttp is the high-performance HTTP parser used by Node.js, designed for speed and efficiency but, as this vulnerability shows, sometimes at the expense of strict protocol compliance.
Siemens is a global leader in industrial automation and digitalization, with products like SINEC INS integrating Node.js for network management. A vulnerability in such a context has direct implications for critical infrastructure.

Technical Information

The root of CVE-2022-35256 lies in the way the llhttp parser in Node.js handled HTTP header termination. According to RFC 7230, each HTTP header line must be terminated by a CRLF sequence (\r\n). However, until llhttp version 6.0.10, the parser would accept headers terminated by just a CR (\r) or even a bare LF (\n).

This seemingly minor deviation from the standard created a dangerous ambiguity. If a front-end proxy (such as NGINX or a cloud load balancer) enforced strict CRLF termination but the Node.js backend did not, an attacker could craft a request that would be interpreted as a single request by the proxy but as two requests by the backend. This is the essence of HTTP Request Smuggling: exploiting differences in request parsing between two systems to "smuggle" a malicious payload past security controls.

Example Exploit Scenario:

Suppose an attacker sends the following HTTP request:

GET / HTTP/1.1\r\n
Host: victim.com\r

X-Foo: bar\r

Transfer-Encoding: chunked\r\n

0\r\n\r\n

A proxy that requires strict CRLF termination will treat this as a single request. However, the vulnerable llhttp parser in Node.js may interpret the Transfer-Encoding: chunked header as the start of a new request, allowing the attacker to "smuggle" a second request into the backend. This can be used to bypass authentication, poison shared caches, or steal session cookies.

The vulnerability is especially dangerous in architectures where Node.js is deployed behind a proxy or load balancer that normalizes HTTP requests differently than the backend parser. Attackers can exploit this to:

Bypass authentication and authorization controls
Poison HTTP caches
Steal or manipulate session data
Potentially execute arbitrary code in some configurations

The flaw is tracked as CWE-444 (Inconsistent Interpretation of HTTP Requests), and its impact is amplified in complex, layered web architectures.

Patch Information

To address the HTTP Request Smuggling vulnerability caused by incorrect parsing of header fields, the Node.js team implemented a crucial update in the llhttp parser. This update ensures that all HTTP header fields are properly terminated with the required CRLF (Carriage Return and Line Feed) sequence, thereby preventing malicious actors from exploiting improperly terminated headers.

The specific fix involved updating the llhttp library to version 6.0.10, which includes enhanced validation mechanisms to enforce correct header termination. This update was integrated into Node.js versions 14.20.1, 16.17.1, and 18.9.1. By upgrading to these versions, users can safeguard their applications against potential HTTP Request Smuggling attacks stemming from this parsing issue.

For detailed information on this security release, please refer to the official Node.js blog post: September 23rd 2022 Security Releases.

Affected Systems and Versions

CVE-2022-35256 specifically affects the following Node.js versions:

Node.js 14.x: All versions prior to 14.20.1
Node.js 16.x: All versions prior to 16.17.1
Node.js 18.x: All versions prior to 18.9.1

Any deployment using these versions, especially when Node.js is running behind a proxy or load balancer that enforces strict CRLF parsing, is vulnerable to HTTP Request Smuggling via improperly terminated headers.

Siemens SINEC INS and other products embedding vulnerable Node.js versions are also affected. Debian and other Linux distributions have issued security advisories and backports for their packaged Node.js versions.

Vendor Security History

Node.js has a mature security process, with regular audits and a public vulnerability disclosure program. However, the llhttp parser’s focus on performance over strict protocol compliance has led to previous parsing-related vulnerabilities. The time from initial report to patch for CVE-2022-35256 was over a year, reflecting the complexity of fixing foundational parsing logic in a widely used runtime. Siemens responded promptly with advisories and patches for its affected products, highlighting the importance of supply chain security in industrial environments.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]