Home > Vulnerability Database > CVE-2023-30589

Mend.io Vulnerability Database

CVE-2023-30589

Good to know:

Date: June 30, 2023

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Language: JS

Severity Score

7.5

Related Resources (13)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/

Url: https://github.com/nodejs/node/commit/2e6de554f6b2f7969f6c51bef784ddb74c00a0ab

Url: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/

Url: https://hackerone.com/reports/2001873

Url: https://security-tracker.debian.org/tracker/CVE-2023-30589

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/

Url: https://security.netapp.com/advisory/ntap-20230803-0009/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30589

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/

Url: https://www.mend.io/vulnerability-database/CVE-2023-30589

Severity Score

7.5

Top Fix

Upgrade Version

Upgrade to version v16.20.1,v18.16.1,v20.3.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30589

Good to know:

Date: June 30, 2023

Language: JS

Severity Score

Related Resources (13)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?