CVE-2023-30589

NameCVE-2023-30589
DescriptionThe llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3886-1, DSA-5589-1
Debian Bugs1039990

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
llhttp (PTS)sid9.3.3~really9.3.0+~cs12.11.8-3fixed
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u7fixed
bookworm, bookworm (security)18.20.4+dfsg-1~deb12u1fixed
forky, trixie20.19.2+dfsg-1fixed
sid20.19.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpsource(unstable)(not affected)
nodejssourcebuster(not affected)
nodejssourcebullseye12.22.12~dfsg-1~deb11u5DLA-3886-1
nodejssourcebookworm18.19.0+dfsg-6~deb12u1DSA-5589-1
nodejssource(unstable)18.13.0+dfsg1-1.11039990

Notes

[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
- llhttp <not-affected> (Fixed before initial upload to Debian)
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
https://hackerone.com/reports/2001873
https://github.com/advisories/GHSA-cggh-pq45-6h9x
Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)
https://github.com/nodejs/llhttp/pull/239
Fixed by: https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8 (v9.0.1)

Search for package or bug name: Reporting problems