CVE-2023-30589

CWE-444 — HTTP Request Smuggling12 documents9 sources

Severity

7.5HIGH

EPSS

1.9%

top 16.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Fedoraproject Fedora

Timeline

PublishedJul 1

Latest updateApr 16

Description

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶npmllhttp< 8.1.1

▶CVEListV5nodejs/node4.0 — 4.*+16

▶NVDnodejs/node.js16.0.0 — 16.20.1+2

▶Debiannodejs< 12.22.12~dfsg-1~deb11u5+3

Also affects: Fedora 37, 38

Patches

Patch: lists.fedoraproject.org ↗Patch: lists.fedoraproject.org ↗Patch: lists.fedoraproject.org ↗

🔴Vulnerability Details

OSV

nodejs vulnerabilities↗2024-04-16

▶

GHSA

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser↗2023-07-20

▶

OSV

llhttp vulnerable to HTTP request smuggling↗2023-07-01

▶

GHSA

llhttp vulnerable to HTTP request smuggling↗2023-07-01

▶

OSV

CVE-2023-30589: The llhttp parser in the http module in Node v20↗2023-07-01

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2024-04-16

▶

Oracle

Oracle Oracle Java SE Risk Matrix: Node (Node.js) — CVE-2023-30589↗2023-10-15

▶

Red Hat

nodejs: HTTP Request Smuggling via Empty headers separated by CR↗2023-06-20

▶

Microsoft

▶

Debian

CVE-2023-30589: llhttp - The llhttp parser in the http module in Node v20.2.0 does not strictly use the C...↗2023

▶