HTTP Parser Flaw in Node.js 20 Allows Request Smuggling
CVE-2025-23167
Key Information:
Badges
What is CVE-2025-23167?
A flaw in the HTTP parser of Node.js 20 allows improper termination of HTTP/1 headers using an incorrect sequence \r\n\rX. This vulnerability enables request smuggling attacks, potentially allowing malicious actors to bypass proxy-based access controls and submit unauthorized requests. The flaw has been rectified in llhttp version 9, which ensures that header termination is enforced correctly. Users of Node.js 20.x prior to the upgrade of llhttp are particularly at risk and should take immediate action to mitigate this security threat.
Affected Version(s)
node 4.0 < 4.*
node 5.0 < 5.*
node 6.0 < 6.*
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.