The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
References
Configurations
History
21 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Dec 2023, 14:33
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:nodejs:node.js:18.0.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:20.2.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:16.0.0:*:*:*:-:*:*:* |
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/ - Patch, Third Party Advisory | |
References | (MISC) https://security.netapp.com/advisory/ntap-20230803-0009/ - Third Party Advisory | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/ - Patch, Third Party Advisory |
17 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Aug 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Aug 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Jul 2023, 19:18
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/ - Mailing List | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/ - Mailing List | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/ - Mailing List | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/ - Mailing List | |
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
21 Jul 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Jul 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Jul 2023, 17:21
Type | Values Removed | Values Added |
---|---|---|
First Time |
Nodejs node.js
Nodejs |
|
CWE | NVD-CWE-Other | |
CPE | cpe:2.3:a:nodejs:node.js:16.0.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:20.2.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:20.0.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:18.0.0:*:*:*:-:*:*:* |
|
References | (MISC) https://hackerone.com/reports/2001873 - Exploit, Issue Tracking, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
01 Jul 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-01 00:15
Updated : 2024-06-21 19:15
NVD link : CVE-2023-30589
Mitre link : CVE-2023-30589
CVE.ORG link : CVE-2023-30589
JSON object : View
Products Affected
fedoraproject
- fedora
nodejs
- node.js
CWE