HTTP Parser Flaw in Node.js 20 Allows Request Smuggling
CVE-2025-23167

6.5MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-23167?

A flaw in the HTTP parser of Node.js 20 allows improper termination of HTTP/1 headers using an incorrect sequence \r\n\rX. This vulnerability enables request smuggling attacks, potentially allowing malicious actors to bypass proxy-based access controls and submit unauthorized requests. The flaw has been rectified in llhttp version 9, which ensures that header termination is enforced correctly. Users of Node.js 20.x prior to the upgrade of llhttp are particularly at risk and should take immediate action to mitigate this security threat.

Affected Version(s)

node 20.19.1

References

https://nodejs.org/en/blog/vulnerability/may-2025-securit...

CVSS V3.0

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
Jan 12, 2025

Nodejs

What is CVE-2025-23167?

Affected Version(s)

References

CVSS V3.0

Timeline