CVE-2023-30589

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30589

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30589.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-30589

Aliases

Related

Published

2023-07-01T00:15:10Z

Modified

2024-09-14T20:51:53.457635Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

References

Affected packages

Debian:11 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.22.12~dfsg-1~deb11u5

Affected versions

12.*

12.21.0~dfsg-5

12.22.4~dfsg-1

12.22.5~dfsg-1

12.22.5~dfsg-2~11u1

12.22.5~dfsg-2

12.22.5~dfsg-3

12.22.5~dfsg-4

12.22.5~dfsg-5

12.22.5~dfsg-6

12.22.5~dfsg-7

12.22.7~dfsg-1

12.22.7~dfsg-2

12.22.9~dfsg-1

12.22.10~dfsg-1

12.22.10~dfsg-2

12.22.12~dfsg-1~deb11u1

12.22.12~dfsg-1~deb11u2

12.22.12~dfsg-1~deb11u3

12.22.12~dfsg-1~deb11u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.19.0+dfsg-6~deb12u1

Affected versions

18.*

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.13.0+dfsg1-1.1

Affected versions

18.*

18.13.0+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

9869bdc93d7bd8b439c4a2598607ee779483ee53

Affected versions

v20.*

v20.0.0

v20.1.0

v20.2.0

v20.3.0