CVE-2025-23167

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to the llhttp v9 upgrade node-undici in Debian Linux (affected versions not specified)

Description: A flaw in the HTTP parser of Node.js allows improper termination of HTTP/1 headers using r rX instead of the required r r . This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

Recommendations: For Node.js versions prior to the llhttp v9 upgrade, upgrade llhttp to version 9 to enforce correct header termination. For node-undici in Debian Linux, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

AZL-61914

AZL-65063

BDU:2025-10618

BIT-NODE-2025-23167

BIT-NODE-MIN-2025-23167

CESA-2025_8514

CVE-2025-23167

ECHO-5136-5B45-28CC

INFSA-2025_8468

MGASA-2025-0161

RHSA-2025:8468

RHSA-2025:8514

RHSA-2025_8468

RHSA-2025_8514

SUSE-SU-2025:02039-1

SUSE-SU-2025:02045-1

SUSE-SU-2025_02039-1

SUSE-SU-2025_02045-1

Affected Products

Centos

Debian

Node.Js

Red Hat

Red Os

Rocky Linux

Suse

Llhttp

Node-Undici

CVE-2025-23167

Weakness Enumeration

Related Identifiers

Affected Products

References · 36