CVE-2023-30589

NameCVE-2023-30589
DescriptionThe llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5589-1
Debian Bugs977716, 1039990

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2vulnerable
stretch4.8.2~dfsg-1vulnerable
buster10.24.0~dfsg-1~deb10u1fixed
buster (security)10.24.0~dfsg-1~deb10u4fixed
bullseye (security), bullseye12.22.12~dfsg-1~deb11u4vulnerable
bookworm18.13.0+dfsg1-1vulnerable
bookworm (security)18.19.0+dfsg-6~deb12u1fixed
sid, trixie18.20.1+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpITP977716
nodejssourcejessie(unfixed)end-of-life
nodejssourcestretch(unfixed)end-of-life
nodejssourcebuster(not affected)
nodejssourcebookworm18.19.0+dfsg-6~deb12u1DSA-5589-1
nodejssource(unstable)18.13.0+dfsg1-1.11039990

Notes

[bullseye] - nodejs <no-dsa> (Minor issue, too intrusive to backport)
[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
https://hackerone.com/reports/2001873
https://github.com/advisories/GHSA-cggh-pq45-6h9x
Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)
Search for package or bug name: Reporting problems