-
-
Notifications
You must be signed in to change notification settings - Fork 129
Expand file tree
/
Copy path153.json
More file actions
14 lines (14 loc) · 807 Bytes
/
153.json
File metadata and controls
14 lines (14 loc) · 807 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"cve": [
"CVE-2025-23167"
],
"vulnerable": "20.x",
"patched": "^20.19.2",
"ref": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases/",
"description": "Improper HTTP header block termination in llhttp",
"overview": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.\n",
"affectedEnvironments": [
"all"
],
"severity": "medium"
}