Lucene search

K
cveHackeroneCVE-2023-30589
HistoryJul 01, 2023 - 12:15 a.m.

CVE-2023-30589

2023-07-0100:15:10
hackerone
web.nvd.nist.gov
238
node.js
http module
v20.2.0
cve-2023-30589
http request smuggling
hrs
llhttp parser
nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

59.0%

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Affected configurations

Nvd
Vulners
Node
nodejsnode.jsRange16.0.016.20.1-
OR
nodejsnode.jsRange18.0.018.16.1-
OR
nodejsnode.jsRange20.0.020.3.1-
Node
fedoraprojectfedoraMatch37
OR
fedoraprojectfedoraMatch38
VendorProductVersionCPE
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
fedoraprojectfedora38cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "https://github.com/nodejs/node",
    "versions": [
      {
        "version": "v20.3.1",
        "status": "affected",
        "lessThan": "v20.3.1",
        "versionType": "semver"
      },
      {
        "version": "v18.16.1",
        "status": "affected",
        "lessThan": "v18.16.1",
        "versionType": "semver"
      },
      {
        "version": "v16.20.1",
        "status": "affected",
        "lessThan": "v16.20.1",
        "versionType": "semver"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

59.0%