CVE-2025-23167 in Node.jsinfo

Summary

by MITRE • 05/19/2025

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.

Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/30/2025

The vulnerability identified as CVE-2025-23167 represents a critical flaw in Node.js 20's HTTP parser that stems from improper handling of header termination sequences. This issue specifically affects the HTTP/1.1 protocol implementation where the parser should strictly enforce the required line termination format of carriage return followed by line feed characters. The flaw allows attackers to exploit the parser's leniency by using the sequence ` X` instead of the standard `

` for header termination, creating a discrepancy that can be leveraged for malicious purposes.

The technical root cause of this vulnerability resides in the underlying llhttp library that Node.js 20 uses for HTTP parsing operations. This library's parsing logic fails to properly validate and enforce the strict HTTP header termination requirements defined in RFC 7230, which mandates that header fields must be terminated by a CRLF sequence. When the parser encounters the non-standard termination sequence ` X`, it processes the headers incorrectly, leading to potential parsing ambiguities that can be exploited by attackers.

From an operational security perspective, this vulnerability creates significant risks for Node.js 20 applications that rely on proxy-based access controls and security mechanisms. The improper header termination allows attackers to perform HTTP request smuggling attacks, where malicious requests can be crafted to bypass security filters and access controls implemented at proxy layers. This enables unauthorized access to resources and can potentially lead to data breaches or privilege escalation within applications that depend on proper header parsing for security enforcement.

The impact of this vulnerability aligns with CWE-1295, which addresses improper handling of HTTP headers, and maps to ATT&CK technique T1190 for Proxying, where adversaries exploit parsing inconsistencies to bypass security controls. Applications using Node.js 20 prior to the llhttp v9 upgrade are particularly vulnerable, as the fix implemented in version 9 enforces strict compliance with HTTP header termination requirements, eliminating the parsing ambiguity that enabled the exploitation.

Organizations affected by this vulnerability should immediately implement the llhttp v9 upgrade as the primary mitigation strategy, ensuring all Node.js 20 applications receive the updated HTTP parsing capabilities. Additionally, security teams should conduct thorough audits of proxy configurations and access control mechanisms to identify potential exploitation attempts, while monitoring network traffic for unusual HTTP request patterns that might indicate attempted smuggling attacks. The fix addresses the core parsing inconsistency by enforcing proper CRLF sequence validation, restoring the expected behavior of HTTP header processing and eliminating the attack surface that previously enabled bypass of proxy-based security controls.

Responsible

Hackerone

Reservation

01/12/2025

Disclosure

05/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00466

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!