CVE-2023-30589

CVSS v3.1 7.5 (High)

EPSS 0.20 % (57^th)

Affected Products 2

Advisories 31

NVD Status Modified

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Weaknesses

CWE-NVD-Other

CVE Status: PUBLISHED
NVD Status: Modified
CNA: HackerOne
Published Date: 2023-07-01 00:15:10
(14 months ago)
Updated Date: 2024-06-21 19:15:26
(2 months ago)

Affected Products

Fedoraproject

Fedora

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 16.0.0 version and prior 16.20.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	< 16.20.1
Nodejs Node.js from 18.0.0 version and prior 18.16.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	< 18.16.1
Nodejs Node.js from 20.0.0 version and prior 20.3.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 20.0.0	< 20.3.1

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37
	Fedoraproject Fedora 38	cpe:2.3:o:fedoraproject:fedora:38