CVE-2025-23167

EUVD-2025-27706
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.

Impact:
* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Debian logo
Debian Releases
Debian Product
Codename
llhttp
forky
9.4.1+~cs12.11.9-3
fixed
sid
9.4.1+~cs12.11.9-3
fixed
node-undici
bookworm
no-dsa
bookworm (security)
vulnerable
forky
7.24.6+dfsg+~cs3.2.0-3
fixed
sid
7.24.6+dfsg+~cs3.2.0-3
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs20
suse enterprise sap 15 SP6
20.19.2-150600.3.12.1
fixed
suse enterprise server 15 SP5
20.19.2-150500.11.21.1
fixed
suse enterprise server 15 SP6
20.19.2-150600.3.12.1
fixed
nodejs20-devel
suse enterprise sap 15 SP6
20.19.2-150600.3.12.1
fixed
suse enterprise server 15 SP5
20.19.2-150500.11.21.1
fixed
suse enterprise server 15 SP6
20.19.2-150600.3.12.1
fixed
nodejs20-docs
suse enterprise sap 15 SP6
20.19.2-150600.3.12.1
fixed
suse enterprise server 15 SP5
20.19.2-150500.11.21.1
fixed
suse enterprise server 15 SP6
20.19.2-150600.3.12.1
fixed
npm20
suse enterprise sap 15 SP6
20.19.2-150600.3.12.1
fixed
suse enterprise server 15 SP5
20.19.2-150500.11.21.1
fixed
suse enterprise server 15 SP6
20.19.2-150600.3.12.1
fixed
Common Weakness Enumeration
References
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases