Medium severity6.5NVD Advisory· Published May 19, 2025· Updated Apr 15, 2026
CVE-2025-23167
CVE-2025-23167
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.
Impact: * This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
17- osv-coords16 versionspkg:apk/chainguard/nodejs-16pkg:apk/chainguard/nodejs-16-docpkg:apk/chainguard/nodejs-18pkg:apk/chainguard/nodejs-18-docpkg:apk/wolfi/nodejs-16pkg:apk/wolfi/nodejs-16-docpkg:apk/wolfi/nodejs-18pkg:apk/wolfi/nodejs-18-docpkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
< 16.20.2-r15+ 15 more
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 20.19.2
- (no CPE)range: < 20.19.2
- (no CPE)range: < 20.19.2-150600.3.12.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150600.3.12.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150500.11.21.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.