CVE-2023-30589

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions v16 through v20

Description The issue is related to the llhttp parser in the http module, which does not strictly use the CRLF sequence to delimit HTTP requests, leading to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser, contrary to RFC7230 section 3, which states that only the CRLF sequence should delimit each header-field.

Recommendations For Node.js versions v16 through v20, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2023:4330

ALSA-2023:4331

ALSA-2023:4536

ALSA-2023:4537

ALT-PU-2023-4642

ALT-PU-2024-14696

ALT-PU-2025-2007

ALT-PU-2025-2047

AZL-27278

AZL-27279

BDU:2023-04893

BIT-NODE-2023-30589

BIT-NODE-MIN-2023-30589

CESA-2023_4536

CESA-2023_4537

CVE-2023-30589

DLA-3886-1

DSA-5589-1

GHSA-CGGH-PQ45-6H9X

MGASA-2023-0226

OESA-2023-1551

OPENSUSE-SU-2023_3408-1

OPENSUSE-SU-2023_3455-1

OPENSUSE-SU-2024:13021-1

OPENSUSE-SU-2024:13564-1

RHSA-2023:4330

RHSA-2023:4331

RHSA-2023:4536

RHSA-2023:4537

RHSA-2023:5361

RHSA-2023:5533

RHSA-2023_4330

RHSA-2023_4331

RHSA-2023_4536

RHSA-2023_4537

RLSA-2023:4536

RLSA-2023:4537

SUSE-SU-2023:2655-1

SUSE-SU-2023:2662-1

SUSE-SU-2023:2663-1

SUSE-SU-2023:2669-1

SUSE-SU-2023:2861-1

SUSE-SU-2023:3306-1

SUSE-SU-2023:3408-1

SUSE-SU-2023:3455-1

USN-6735-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Node.Js

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2023-30589

Weakness Enumeration

Related Identifiers

Affected Products

References · 148