216.73.216.133

CVE-2025-23167

· Published 19/05/2025 02:15 · Modified 19/05/2025 16:15

Labels: CVE-2025-23167 2025-05-19CVE-2025-23167CWE-444[email protected]

Essential information

Published
19/05/2025 02:15
Modified
19/05/2025 16:15
Author
Creator
CVSS
6.5 MEDIUM (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nodejs / node.js cpe:2.3:a:nodejs:node.js:20.0:*:*:*:*:*:*:*
nodejs / node.js cpe:2.3:a:nodejs:node.js:20.<9:*:*:*:*:*:*:*

References