Lucene search

K
cvelistHackeroneCVELIST:CVE-2023-30589
HistoryJun 30, 2023 - 11:39 p.m.

CVE-2023-30589

2023-06-3023:39:59
hackerone
www.cve.org
5
node.js
http request smuggling
llhttp parser
crlf
http header fields
rfc7230

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

58.0%

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "https://github.com/nodejs/node",
    "versions": [
      {
        "version": "v20.3.1",
        "status": "affected",
        "lessThan": "v20.3.1",
        "versionType": "semver"
      },
      {
        "version": "v18.16.1",
        "status": "affected",
        "lessThan": "v18.16.1",
        "versionType": "semver"
      },
      {
        "version": "v16.20.1",
        "status": "affected",
        "lessThan": "v16.20.1",
        "versionType": "semver"
      }
    ]
  }
]