First published: Sat Jul 01 2023(Updated: )
Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nodejs Node.js | =16.0.0 | |
Nodejs Node.js | =18.0.0 | |
Nodejs Node.js | =20.0.0 | |
Nodejs Node.js | =20.2.0 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
npm/llhttp | <8.1.1 | 8.1.1 |
Nodejs Node.js | >=16.0.0<16.20.1 | |
Nodejs Node.js | >=18.0.0<18.16.1 | |
Nodejs Node.js | >=20.0.0<20.3.1 | |
IBM Cognos Analytics | <=12.0.0-12.0.1 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 | |
ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.2 | 18.13.0+dfsg1-1ubuntu2.2 |
debian/nodejs | <=12.22.12~dfsg-1~deb11u4<=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-30589 is a vulnerability in the llhttp parser in the http module in Node v20.2.0 that can lead to HTTP Request Smuggling (HRS).
CVE-2023-30589 affects Node.js versions 16.0.0, 18.0.0, 20.0.0, and 20.2.0.
CVE-2023-30589 has a severity rating of high.
To fix CVE-2023-30589, update the llhttp package to version 8.1.1 or higher.
You can find more information about CVE-2023-30589 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-30589), [HackerOne](https://hackerone.com/reports/2001873), [GitHub](https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1).