AZL-27279

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27279.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-27279

Upstream

CVE-2023-30589

Published

2023-07-01T00:15:10Z

Modified

2026-04-01T05:09:05.132966Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2023-30589 affecting package nodejs18 for versions less than 18.17.1-2

Details

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

References

https://nvd.nist.gov/vuln/detail/CVE-2023-30589

Affected packages

Azure Linux:2 / nodejs18

Package

Name: nodejs18
Purl: pkg:rpm/azure-linux/nodejs18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.17.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27279.json"