CVE-2025-23167

NONE EPSS 36.9%
Published May 19, 20251y ago · Modified Jun 17, 20261w ago
Find Similar
Published May 19, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Threat Intelligence

EPSS Exploit Probability
36.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-444

References 1

  • nodejs.org https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.