HTTP Request Smuggling Affecting nodejs:20/nodejs package, versions <1:20.19.2-1.module+el9.6.0+23146+be9976bd


Severity

Recommended
high

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL9-NODEJS-10186027
  • published20 May 2025
  • disclosed19 May 2025

Introduced: 19 May 2025

NewCVE-2025-23167  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade RHEL:9 nodejs:20/nodejs to version 1:20.19.2-1.module+el9.6.0+23146+be9976bd or higher.
This issue was patched in RHSA-2025:8468.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs:20/nodejs package and not the nodejs:20/nodejs package as distributed by RHEL. See How to fix? for RHEL:9 relevant fixed versions and status.

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.

Impact:

  • This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.