CVE-2023-30589

NameCVE-2023-30589
DescriptionThe llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs977716, 1039990

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)buster10.24.0~dfsg-1~deb10u1fixed
buster (security)10.24.0~dfsg-1~deb10u3fixed
bullseye12.22.12~dfsg-1~deb11u3vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u4vulnerable
trixie, bookworm, sid18.13.0+dfsg1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpITP977716
nodejssourcebuster(not affected)
nodejssource(unstable)(unfixed)1039990

Notes

[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
https://hackerone.com/reports/2001873
https://github.com/advisories/GHSA-cggh-pq45-6h9x
Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)

Search for package or bug name: Reporting problems