CVE-2025-23167

MEDIUM6.5

A flaw in Node

Published May 19, 2025

Modified 9 months ago

Details

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.

Impact:

This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.

Affected Packages

Node.js

Windows 10 (1507)Windows 10 (1607) / Server 2016Windows 10 (1809) / Server 2019Windows 10 (1903)Windows 10 (1909)

References

WEB

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-23167

CVSS Analysis

CVSS v3.0

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

NoneA:N

6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Ecosystems(17)

Windows 10 (1507)Windows 10 (1607) / Server 2016 Windows 10 (1809) / Server 2019 Windows 10 (1903)Windows 10 (1909)

Timeline

PublishedMay 19, 2025

ModifiedMay 27, 2025