The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Affected Packages

npm llhttp

Affected versions: 0 (fixed in 8.1.1)

Related CVEs

CVE-2023-30589

Key Information

GHSA ID

GHSA-cggh-pq45-6h9x

Published

July 1, 2023 12:30 AM

Last Modified

February 13, 2025 7:00 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

llhttp

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.