CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This...
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.
Impact:
* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
Classification
CVE ID: CVE-2025-23167
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
Vendor: nodejs
Product: node
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 9.12% (scored less or equal to compared to others)
EPSS Date: 2025-06-16 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-23167https://nodejs.org/en/blog/vulnerability/may-2025-security-releases