CVE-2025-23167
Published: May 20, 2025Last modified: July 20, 2025
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | Stream | nodejs | Fixed (22.11.0-r0) |
| Liberica NIK | 23 (JDK 17) | core | Fixed (23.0.9+1) |
| standard (nodejs) | Fixed (23.0.9+1) | ||
| 23 (JDK 21) | core | Fixed (23.1.8+1) | |
| standard (nodejs) | Fixed (23.1.8+1) | ||
| 24 (JDK 24) | nodejs | Fixed (24.2.2+1) |