- Description
- A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
- Source
- support@hackerone.com
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
“Node.js”də boşluqlar aşkarlanıb (CVE-2025-23166, CVE-2025-23167, CVE-2025-23165). #ETX #certaz #cybersecurity #kibertəhlükəsizlik #xəbərdarlıq https://t.co/L8wLgMwlJx
@CERTAzerbaijan
19 May 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨CVE-2025-23166(HIGH) : Improper error handling in async cryptographic operations crashes process CVE-2025-23167(Medium) : Improper HTTP header block termination in llhttp 📊 26.4M+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter https://t.co/wB
@HunterMapping
15 May 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes