A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.
Impact:
* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Jun 2025 22:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat enterprise Linux |
|
CPEs | cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 |
|
Vendors & Products |
Redhat
Redhat enterprise Linux |
Tue, 20 May 2025 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Title | nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling | |
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 19 May 2025 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 19 May 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-444 |
Mon, 19 May 2025 02:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. | |
References |
| |
Metrics |
cvssV3_0
|

Status: PUBLISHED
Assigner: hackerone
Published: 2025-05-19T01:25:08.454Z
Updated: 2025-05-27T18:31:36.494Z
Reserved: 2025-01-12T01:00:00.648Z
Link: CVE-2025-23167

Updated: 2025-05-19T15:12:05.322Z

Status : Awaiting Analysis
Published: 2025-05-19T02:15:17.583
Modified: 2025-05-19T16:15:27.317
Link: CVE-2025-23167
