The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: hackerone
Published: 2023-06-30T23:39:59.161Z
Updated: 2023-06-30T23:39:59.161Z
Reserved: 2023-04-13T01:00:12.086Z
Link: CVE-2023-30589
JSON object: View
NVD Information
Status : Modified
Published: 2023-07-01T00:15:10.293
Modified: 2024-06-21T19:15:26.617
Link: CVE-2023-30589
JSON object: View
Redhat Information
No data.
CWE