Name | CVE-2025-23167 |
Description | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1105919 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
llhttp (PTS) | sid | 9.3.3~really9.3.0+~cs12.11.8-3 | fixed |
node-undici (PTS) | bookworm | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 | vulnerable |
bookworm (security) | 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 | vulnerable | |
trixie | 7.3.0+dfsg1+~cs24.12.11-1 | vulnerable | |
forky | 7.3.0+dfsg1+~cs24.12.11-2 | vulnerable | |
sid | 7.15.0+dfsg+~cs3.2.0-1 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
llhttp | source | (unstable) | (not affected) | |||
node-undici | source | (unstable) | (unfixed) | 1105919 |
[trixie] - node-undici <no-dsa> (Minor issue)
[bookworm] - node-undici <no-dsa> (Minor issue)
- llhttp <not-affected> (Fixed before initial upload to Debian)
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
https://github.com/nodejs/llhttp/pull/239
Fixed by: https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8 (v9.0.1)