Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.
An HTTP Request Smuggling vulnerability has been identified in Node. The issue stems from the llhttp parser not strictly using the CRLF sequence to delimit HTTP requests. This weakness allows attackers to manipulate HTTP requests and potentially smuggle them to the backend server.
This vulnerability affects specific versions of the package and can result in unauthorized access or data leakage. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node
Affected versions: 4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 12, 14
Vulnerability Info
The issue was introduced in version 4.0 and stems from improper handling of the CRLF sequence in HTTP requests.
For instance, in a scenario where an attacker sends a crafted HTTP request, if the llhttp parser processes the CR character without the LF, the system may misinterpret the request. This behavior can be exploited by attackers to smuggle requests to the backend server.
This vulnerability is a result of flawed logic in the request parsing, and may allow attackers to manipulate HTTP requests and responses.
- https://www.cve.org/CVERecord?id=CVE-2023-30589
- https://hackerone.com/reports/2001873
Credits
- Yadhu Krishna M
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
