CVE-2025-23167
May 19, 2025
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using "\r\n\rX" instead of the required "\r\n\r\n".
This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading "llhttp" to version 9, which enforces correct header termination.
Impact:
* This vulnerability affects only Node.js 20.x users prior to the "llhttp" v9 upgrade.
Affected Packages
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v20.0.0 <v20.19.2Fix Suggestion:
Update to version v20.19.2Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
EPSS
Base Score:
0.03
