Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jZ2doLXBxNDUtNmg5eM4AA0Ks

llhttp vulnerable to HTTP request smuggling

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Permalink: https://github.com/advisories/GHSA-cggh-pq45-6h9x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ2doLXBxNDUtNmg5eM4AA0Ks
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-cggh-pq45-6h9x, CVE-2023-30589
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-30589
• https://hackerone.com/reports/2001873
• https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.1
• https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
• https://security.netapp.com/advisory/ntap-20230803-0009/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
• https://github.com/advisories/GHSA-cggh-pq45-6h9x

Repository: https://github.com/nodejs/llhttp
Blast Radius: 5.2

Affected Packages