Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-30589

UNKNOWN
Published 2023-06-30T23:39:59.161Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-30589. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

NodeJS

Node

Affected Versions:

4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 12.0 13.0 14.0 15.0 16.0 17.0 18.0 19.0 20.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

llhttp vulnerable to HTTP request smuggling

GHSA-cggh-pq45-6h9x

Advisory Details

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Affected Packages

npm llhttp
ECOSYSTEM: ≥0 <8.1.1

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-30589
WEB https://hackerone.com/reports/2001873
PACKAGE https://github.com/nodejs/llhttp
WEB https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76
WEB https://security.netapp.com/advisory/ntap-20230803-0009
WEB https://security.netapp.com/advisory/ntap-20240621-0006

Advisory provided by GitHub Security Advisory Database. Published: July 1, 2023, Modified: February 13, 2025

References

https://hackerone.com/reports/2001873
https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
https://security.netapp.com/advisory/ntap-20230803-0009/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
https://security.netapp.com/advisory/ntap-20240621-0006/
Published: 2023-06-30T23:39:59.161Z
Last Modified: 2025-04-30T22:24:55.930Z
Copied to clipboard!