CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Published: Jul 1, 2023
Updated: May 4, 2025
CVE: CVE-2023-30589
GHSA: GHSA-cggh-pq45-6h9x
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
llhttp	-	8.1.1
fedoraproject / fedora	37	37.x
fedoraproject / fedora	38	38.x
nodejs / node.js	20.0.0	20.3.1
nodejs / node.js	16.0.0	16.20.1
nodejs / node.js	18.0.0	18.16.1

https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1
https://hackerone.com/reports/2001873
https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE
https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF
https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY
https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE
https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5
https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76
https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
https://security.netapp.com/advisory/ntap-20230803-0009
https://security.netapp.com/advisory/ntap-20230803-0009/
https://security.netapp.com/advisory/ntap-20240621-0006/

Vulnerability Database

289,599

CVE-2023-30589