{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23167", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2025-01-12T01:00:00.648Z", "datePublished": "2025-05-19T01:25:08.454Z", "dateUpdated": "2025-05-27T18:31:36.494Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.*"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.*"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.*"}, {"versionType": "semver", "version": "17.0", "status": "affected", "lessThan": "17.*"}, {"versionType": "semver", "version": "18.0", "status": "affected", "lessThan": "18.*"}, {"versionType": "semver", "version": "19.0", "status": "affected", "lessThan": "19.*"}, {"version": "20.0", "status": "affected", "lessThanOrEqual": "20.19.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-05-27T18:31:36.494Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-444", "lang": "en", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T15:09:55.841520Z", "id": "CVE-2025-23167", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:13:21.685Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-19T15:09:55.841520Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:12:05.322Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.*", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}, {"status": "affected", "version": "20.0", "versionType": "semver", "lessThanOrEqual": "20.19.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-05-27T18:31:36.494Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23167", "state": "PUBLISHED", "dateUpdated": "2025-05-27T18:31:36.494Z", "dateReserved": "2025-01-12T01:00:00.648Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2025-05-19T01:25:08.454Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."}, {"lang": "es", "value": "Una falla en el analizador HTTP de Node.js 20 permite la terminaci\u00f3n incorrecta de los encabezados HTTP/1 mediante `\\r\\n\\rX` en lugar del `\\r\\n\\r\\n` requerido. Esta inconsistencia facilita el contrabando de solicitudes, lo que permite a los atacantes eludir los controles de acceso basados en proxy y enviar solicitudes no autorizadas. El problema se solucion\u00f3 actualizando `llhttp` a la versi\u00f3n 9, que aplica la terminaci\u00f3n correcta de los encabezados. Impacto: * Esta vulnerabilidad afecta solo a los usuarios de Node.js 20.x anteriores a la actualizaci\u00f3n a `llhttp` v9."}], "id": "CVE-2025-23167", "lastModified": "2025-05-19T16:15:27.317", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2025-05-19T02:15:17.583", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8514", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8100020250521115949.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8468", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9060020250529100856.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-03T00:00:00Z"}], "bugzilla": {"description": "nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling", "id": "2367167", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367167"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.", "A flaw was found in the HTTP parser of Node.js. This vulnerability allows attackers to perform request smuggling and bypass proxy-based access controls via improperly terminated HTTP/1 headers using \\r\\n\\rX instead of the standard \\r\\n\\r\\n."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-23167", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-19T01:25:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23167\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23167\nhttps://nodejs.org/en/blog/vulnerability/may-2025-security-releases"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform uses secure, encrypted HTTPS connections over TLS 1.2 to reduce the risk of smuggling attacks by preventing the injection of ambiguous or malformed requests between components. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code while ensuring consistent interpretation of HTTP requests across network layers, mitigating request/response inconsistencies. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, enabling the detection of malformed or suspicious HTTP traffic. Static code analysis and peer reviews enforce strong input validation and error handling to ensure all user inputs adhere to HTTP protocol specifications.", "threat_severity": "Moderate"}