CVE-2023-30589
HIGHNode.js 16.0.0-16.20.1 - HTTP Request Smuggling via CR Delimiter in llhttp Parser
Title source: llmDescription
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
References (10)
Core 10
Core References
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/2001873
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
Patch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
Patch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230803-0009/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
Scores
CVSS v3
7.5
EPSS
0.0192
EPSS Percentile
83.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (4)
fedoraproject/fedora
37
fedoraproject/fedora
38
nodejs/node.js
16.0.0 - 16.20.1
npm/llhttp
0 - 8.1.1npm
Published
Jul 01, 2023
Tracked Since
Feb 18, 2026