nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling

A flaw was found in the HTTP parser of Node.js. This vulnerability allows attackers to perform request smuggling and bypass proxy-based access controls via improperly terminated HTTP/1 headers using \r\n\rX instead of the standard \r\n\r\n...

BIT-NODE-2025-23167

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

CVE-2025-23167

This CVE affects Node.js 20.x where the HTTP parser may terminate headers incorrectly (\r\n\rX instead of \r\n\r\n), enabling request smuggling and bypassing proxy-based access controls. Root cause: improper header termination in llhttp prior to version 9. The issue is resolved by upgrading llhtt...

PT-2019-3468

Name of the Vulnerable Software and Affected Versions Varnish Cache versions prior to 6.0.4 LTS Varnish Cache versions 6.1.x through 6.2.0 Description An issue in Varnish Cache allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests, causing an automatic restart with a...