Home
MEDIUM: 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NDefault status
unaffected
4.0 (semver) before 4.*
affected
5.0 (semver) before 5.*
affected
6.0 (semver) before 6.*
affected
7.0 (semver) before 7.*
affected
8.0 (semver) before 8.*
affected
9.0 (semver) before 9.*
affected
10.0 (semver) before 10.*
affected
11.0 (semver) before 11.*
affected
12.0 (semver) before 12.*
affected
13.0 (semver) before 13.*
affected
14.0 (semver) before 14.*
affected
15.0 (semver) before 15.*
affected
16.0 (semver) before 16.*
affected
17.0 (semver) before 17.*
affected
18.0 (semver) before 18.*
affected
19.0 (semver) before 19.*
affected
20.0 (semver)
affected
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
Product status
4.0 (semver) before 4.*
5.0 (semver) before 5.*
6.0 (semver) before 6.*
7.0 (semver) before 7.*
8.0 (semver) before 8.*
9.0 (semver) before 9.*
10.0 (semver) before 10.*
11.0 (semver) before 11.*
12.0 (semver) before 12.*
13.0 (semver) before 13.*
14.0 (semver) before 14.*
15.0 (semver) before 15.*
16.0 (semver) before 16.*
17.0 (semver) before 17.*
18.0 (semver) before 18.*
19.0 (semver) before 19.*
20.0 (semver)
References
nodejs.org/en/blog/vulnerability/may-2025-security-releases