CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables…

medium6.5CVSS 3.0

AVNACLPRNUINSUCLILAN

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.

Impact:
* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Affected

31 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	llhttp	< node-undici 7.15.0+dfsg+~cs3.2.0-1 (forky)	node-undici 7.15.0+dfsg+~cs3.2.0-1 (forky)
debian	node-undici	< node-undici 7.15.0+dfsg+~cs3.2.0-1 (forky)	node-undici 7.15.0+dfsg+~cs3.2.0-1 (forky)
msrc	azl3_fluent-bit_3.1.9-4_on_azure_linux_3.0	—	—
msrc	azl3_nodejs_20.14.0-10_on_azure_linux_3.0	—	—
msrc	azl3_nodejs_20.14.0-13_on_azure_linux_3.0	—	—
msrc	azl3_nodejs_20.14.0-14_on_azure_linux_3.0	—	—
msrc	azl3_nodejs_20.14.0-9_on_azure_linux_3.0	—	—
msrc	cbl2_fluent-bit_3.0.6-2_on_cbl_mariner_2.0	—	—
msrc	cbl2_nghttp2_1.57.0-2_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.20.3-10_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.20.3-11_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.20.3-12_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.20.3-8_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.20.3-9_on_cbl_mariner_2.0	—	—
nodejs	node	>= 10.0 < 10.*	10.*
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.*	12.*
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.*	14.*
nodejs	node	>= 15.0 < 15.*	15.*
nodejs	node	>= 16.0 < 16.*	16.*
nodejs	node	>= 17.0 < 17.*	17.*
nodejs	node	>= 18.0 < 18.*	18.*
nodejs	node	>= 19.0 < 19.*	19.*
nodejs	node	20.0 – 20.19.1	—

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

osv6.5MEDIUM