A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
History

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Tue, 20 May 2025 02:30:00 +0000

Type Values Removed Values Added
Title nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 19 May 2025 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444

Mon, 19 May 2025 02:00:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2025-05-19T01:25:08.454Z

Updated: 2025-05-27T18:31:36.494Z

Reserved: 2025-01-12T01:00:00.648Z

Link: CVE-2025-23167

cve-icon Vulnrichment

Updated: 2025-05-19T15:12:05.322Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-19T02:15:17.583

Modified: 2025-05-19T16:15:27.317

Link: CVE-2025-23167

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-19T01:25:08Z

Links: CVE-2025-23167 - Bugzilla