CVE-2022-35256 (llhttp) found on v14.x

[github-actions]

A new vulnerability for llhttp 2.1.6 was found:
Vulnerability ID: CVE-2022-35256
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2022-35256
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/3653206934

[richardlau]

Any idea why this has just popped up now? FWIW I'm preparing a Node.js 14 release for Tuesday but there are no llhttp commits in the proposal: nodejs/node#45775

[richardlau]

Is this an error in https://nvd.nist.gov/vuln/detail/CVE-2022-35256?

Maybe stemming from https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256?

llhttp v6.0.10 contains the fixes that were updated inside Node.js

Node.js was updated to llhttp 2.1.6 by nodejs/node@a9f1146 as part of those same security releases. I believe there were semver reasons why Node.js 14 is not on a later llhttp semver major.

[RafaelGSS]

cc: @ShogunPanda

[mcollina]

My understanding is that there is a mistake on that CVE as llhttp v2.1.6 contains those fixes.

[mhdawson]

We have asked how we get the CVE updated, but based on our understanding as outlined by @mcollina above this does not affect current Node.js versions.

[ShogunPanda]

Node 14 uses llhttp 2.1.x so I confirm this is not valid.

[mhdawson]

Closing out as 14.x is EOL