By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-30589

HTTP Request Smuggling
Affects
Node.js
in
Node.js
No items found.
Versions
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.

An HTTP Request Smuggling vulnerability has been identified in Node. The issue stems from the llhttp parser not strictly using the CRLF sequence to delimit HTTP requests. This weakness allows attackers to manipulate HTTP requests and potentially smuggle them to the backend server.

This vulnerability affects specific versions of the package and can result in unauthorized access or data leakage. Details on affected versions and reproduction steps are provided below.

Details

Module Info

  • Affected packages: Node
  • Affected versions: 4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
  • GitHub repository: https://github.com/nodejs/node
  • Published packages: https://github.com/nodejs/node/releases
  • Package manager: npm
  • Fixed in: Node.js NES version 12, 14

Vulnerability Info

The issue was introduced in version 4.0 and stems from improper handling of the CRLF sequence in HTTP requests.

For instance, in a scenario where an attacker sends a crafted HTTP request, if the llhttp parser processes the CR character without the LF, the system may misinterpret the request. This behavior can be exploited by attackers to smuggle requests to the backend server.

This vulnerability is a result of flawed logic in the request parsing, and may allow attackers to manipulate HTTP requests and responses.


- https://www.cve.org/CVERecord?id=CVE-2023-30589

- https://hackerone.com/reports/2001873

Mitigation

This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.


- Update to a patched LTS version of Node.js

- Leverage a commercial support partner like HeroDevs for post-EOL security.

Refer to the NES documentation for upgrade instructions.

Credits


- Yadhu Krishna M

Pink arrow
Pink arrow
CVE-2022-32215
CVE-2022-32214
CVE-2022-32212
CVE-2022-32213
CVE-2022-32223
CVE-2022-35256
CVE-2023-23919
CVE-2023-30589
CVE-2023-32006
CVE-2023-32002
CVE-2023-32559
CVE-2023-38552
CVE-2023-30588
CVE-2023-30590
CVE-2024-22019
CVE-2024-22025
CVE-2024-21892
CVE-2024-22017
CVE-2024-27983
CVE-2024-27982
CVE-2024-27982
CVE-2024-22020
CVE-2023-39333
CVE-2024-36138
CVE-2023-46809
HD-2024-1409
HD-2024-1408
HD-2024-1407
CVE-2024-27980
CVE-2025-23087
CVE-2025-23088
CVE-2025-23089
CVE-2025-23083
CVE-2025-23084
CVE-2025-23085
CVE-2025-23166
CVE-2025-23167
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-30589
PROJECT Affected
Node.js
Versions Affected
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Published date
June 30, 2023
≈ Fix date
October 10, 2024
Fixed in
NES for Node.js
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
HTTP Request Smuggling
Sign up for the latest vulnerability alerts fixed in
NES for Node.js
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.