CVE-2025-23167
- Source
- https://cve.org/CVERecord?id=CVE-2025-23167
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23167.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-23167
- Aliases
- Downstream
- Related
- Published
- 2025-05-19T02:15:17Z
- Modified
- 2026-03-23T04:59:36.956415123Z
- Summary
- [none]
- Details
-
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using
\r\n\rXinstead of the required\r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.The issue was resolved by upgrading
llhttpto version 9, which enforces correct header termination.Impact: * This vulnerability affects only Node.js 20.x users prior to the
llhttpv9 upgrade. - References