CVE-2025-23167 The advisory has been revoked - it doesn't affect any version of package nodejs  (opens in a new tab)


Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-NODEJS-10175980
  • published16 May 2025
  • disclosed19 May 2025

Introduced: 16 May 2025

CVE-2025-23167  (opens in a new tab)

Amendment

The Debian security team deemed this advisory irrelevant for Debian:13.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Debian.

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.

Impact:

  • This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.