The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2023-06-30T23:39:59.161Z
Updated: 2024-08-02T14:28:51.669Z
Reserved: 2023-04-13T01:00:12.086Z
Link: CVE-2023-30589
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-07-01T00:15:10.293
Modified: 2024-11-21T08:00:28.570
Link: CVE-2023-30589
Redhat