CVE-2023-30589: XSS
First published: Sat Jul 01 2023(Updated: )
Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nodejs Node.js | =16.0.0 | |
| Nodejs Node.js | =18.0.0 | |
| Nodejs Node.js | =20.0.0 | |
| Nodejs Node.js | =20.2.0 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| npm/llhttp | <8.1.1 | 8.1.1 |
| Nodejs Node.js | >=16.0.0<16.20.1 | |
| Nodejs Node.js | >=18.0.0<18.16.1 | |
| Nodejs Node.js | >=20.0.0<20.3.1 | |
| IBM Cognos Analytics | <=12.0.0-12.0.1 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 | |
| ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.2 | 18.13.0+dfsg1-1ubuntu2.2 |
| debian/nodejs | <=12.22.12~dfsg-1~deb11u4<=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackerone.com/reports/2001873
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
- https://security.netapp.com/advisory/ntap-20230803-0009/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30589
- https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1
- https://github.com/advisories/GHSA-cggh-pq45-6h9x (Advisory)
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220789
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220787
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220786
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220788
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220785
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2220784
- https://access.redhat.com/errata/RHSA-2023:4331
- https://access.redhat.com/errata/RHSA-2023:4330
- https://access.redhat.com/errata/RHSA-2023:4536
- https://access.redhat.com/errata/RHSA-2023:4537
- https://access.redhat.com/security/cve/cve-2023-30589
- https://access.redhat.com/errata/RHSA-2023:5361
- https://access.redhat.com/errata/RHSA-2023:5533
- https://bugzilla.redhat.com/show_bug.cgi?id=2219841
- https://exchange.xforce.ibmcloud.com/vulnerabilities/258624
- https://www.ibm.com/support/pages/node/7123154 (Advisory)
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
- https://www.cve.org/CVERecord?id=CVE-2023-30589
- https://ubuntu.com/security/notices/USN-6735-1
- https://launchpad.net/bugs/cve/CVE-2023-30589
- https://security-tracker.debian.org/tracker/CVE-2023-30589
- https://ubuntu.com/security/CVE-2023-30589
- https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152
Frequently Asked Questions
What is CVE-2023-30589?
CVE-2023-30589 is a vulnerability in the llhttp parser in the http module in Node v20.2.0 that can lead to HTTP Request Smuggling (HRS).
How does CVE-2023-30589 affect Node.js?
CVE-2023-30589 affects Node.js versions 16.0.0, 18.0.0, 20.0.0, and 20.2.0.
What is the severity of CVE-2023-30589?
CVE-2023-30589 has a severity rating of high.
How can I fix CVE-2023-30589?
To fix CVE-2023-30589, update the llhttp package to version 8.1.1 or higher.
Where can I find more information about CVE-2023-30589?
You can find more information about CVE-2023-30589 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-30589), [HackerOne](https://hackerone.com/reports/2001873), [GitHub](https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-cggh-pq45-6h9x
- alias/CVE-2023-30589
- collector/nvd-api
- agent/type
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- agent/weakness
- agent/author
- agent/severity
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- agent/references
- agent/description
- agent/event
- collector/github-advisory
- source/GitHub
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/16.0.0
- version/nodejs node.js/18.0.0
- version/nodejs node.js/20.0.0
- version/nodejs node.js/20.2.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/npm
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.1
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- version/ibm cognos analytics/11.1.1-11.1.7 fp7
- package-manager/ubuntu
- package-manager/debian