A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

🗓️ 04 Sep 2025 07:32:59Reported by MicrosoftType

CVE-2025-23167 vulnerability in Microsoft products.

Reporter	Title	Published	Views	Family All 83
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in NodeJS affect IBM Business Automation Workflow Configuration Editor	11 Sep 202511:41	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Planning Analytics Advanced Certified Containers	14 Nov 202520:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Documentation Offline is vulnerable to `Node.js ReadFileUtf8 and HTTP Parser flaws` due to Node.js (CVE-2025-23165, CVE-2025-23167)	9 Dec 202510:59	–	ibm
Tenable Nessus	Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2025-1010)	12 Jun 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0090: nodejs:20 (ALINUX3-SA-2025:0090)	23 Jun 202500:00	–	nessus
Tenable Nessus	Fedora 41 : nodejs20 (2025-0c2b7a8f32)	28 May 202500:00	–	nessus
Tenable Nessus	Node.js 20.x < 20.19.2 / 22.x < 22.15.1 / 22.x < 22.15.1 / 23.x < 23.11.1 / 24.x < 24.0.2 Multiple Vulnerabilities (Wednesday, May 14, 2025 Security Releases).	15 May 202500:00	–	nessus
Tenable Nessus	Photon OS 4.0: Nodejs PHSA-2025-4.0-0820	25 Jun 202500:00	–	nessus
Tenable Nessus	RHEL 9 : nodejs:20 (RHSA-2025:8468)	3 Jun 202500:00	–	nessus
Tenable Nessus	RHEL 8 : nodejs:20 (RHSA-2025:8514)	4 Jun 202500:00	–	nessus