CVE-2025-23167HTTP Request Smuggling in Node

CWE-444HTTP Request Smuggling7 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 73.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedMay 19

Description

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

CVEListV5nodejs/node4.04.*+16

🔴Vulnerability Details

3
OSV
CVE-2025-23167: A flaw in Node2025-05-19
CVEList
CVE-2025-23167: A flaw in Node2025-05-19
GHSA
GHSA-hchw-qwx7-4w4c: A flaw in Node2025-05-19

📋Vendor Advisories

3
Red Hat
nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling2025-05-19
Microsoft
CVE-2025-23167: FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One2025-05-13
Debian
CVE-2025-23167: llhttp - A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers...2025
CVE-2025-23167 — HTTP Request Smuggling in Nodejs Node | cvebase