CVE-2025-23167

Summary

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.

Impact:

  • This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.

Affected Software

VendorProductVersion RangeStatus
nodejsnode4.0 < 4.*affected
nodejsnode5.0 < 5.*affected
nodejsnode6.0 < 6.*affected
nodejsnode7.0 < 7.*affected
nodejsnode8.0 < 8.*affected
nodejsnode9.0 < 9.*affected
nodejsnode10.0 < 10.*affected
nodejsnode11.0 < 11.*affected
nodejsnode12.0 < 12.*affected
nodejsnode13.0 < 13.*affected
nodejsnode14.0 < 14.*affected
nodejsnode15.0 < 15.*affected
nodejsnode16.0 < 16.*affected
nodejsnode17.0 < 17.*affected
nodejsnode18.0 < 18.*affected
nodejsnode19.0 < 19.*affected
nodejsnode20.0 <= 20.19.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References