CVE-2025-23167

MEDIUM

Node.js 20 - Request Smuggling

Title source: llm

Description

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Exploits (1)

nomisec WORKING POC

by abhisek3122 · poc

https://github.com/abhisek3122/CVE-2025-23167

View Code ZIP pw:eip

References (1)

[Various Sources] https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Scores

CVSS v3 6.5

EPSS 0.0010

EPSS Percentile 26.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (17)

nodejs/node 10.0 - 10.*

nodejs/node 11.0 - 11.*

nodejs/node 12.0 - 12.*

nodejs/node 13.0 - 13.*

nodejs/node 14.0 - 14.*

nodejs/node 15.0 - 15.*

nodejs/node 16.0 - 16.*

nodejs/node 17.0 - 17.*

nodejs/node 18.0 - 18.*

nodejs/node 19.0 - 19.*

... and 7 more

Published May 19, 2025

Tracked Since Feb 18, 2026