Vulnerability-Lookup

MSRC_CVE-2025-23167

Vulnerability from csaf_microsoft - Published: 2025-05-02 00:00 - Updated: 2026-06-02 01:40

Summary

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2025-23167

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 19445-17084		—
Unresolved product id: 19787-17086		—

Known affected 11 products

Product	Version	Remediation
Unresolved product id: 17084-10	—	None Available
Unresolved product id: 17084-13	—	Vendor Fix fix
Unresolved product id: 17086-11	—	Vendor Fix fix
Unresolved product id: 17086-9	—	None Available
Unresolved product id: 17084-6	—	None Available
Unresolved product id: 17084-3	—	None Available
Unresolved product id: 17086-2	—	None Available
Unresolved product id: 17086-8	—	None Available
Unresolved product id: 17086-7	—	None Available
Unresolved product id: 17084-5	—	None Available
Unresolved product id: 17086-4	—	None Available

Known not affected 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 17086-12		—
Unresolved product id: 17084-1		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-23167 A flaw in Node.js 20\u0027s HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-23167.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "A flaw in Node.js 20\u0027s HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.",
    "tracking": {
      "current_release_date": "2026-06-02T01:40:32.000Z",
      "generator": {
        "date": "2026-06-02T07:27:32.941Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-23167",
      "initial_release_date": "2025-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-04T00:32:59.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2025-12-06T14:36:47.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2025-12-07T01:45:31.000Z",
          "legacy_version": "3",
          "number": "3",
          "summary": "Information published."
        },
        {
          "date": "2026-02-21T02:58:36.000Z",
          "legacy_version": "4",
          "number": "4",
          "summary": "Information published."
        },
        {
          "date": "2026-03-31T14:54:23.000Z",
          "legacy_version": "5",
          "number": "5",
          "summary": "Information published."
        },
        {
          "date": "2026-04-29T14:46:40.000Z",
          "legacy_version": "6",
          "number": "6",
          "summary": "Information published."
        },
        {
          "date": "2026-05-31T01:40:30.000Z",
          "legacy_version": "7",
          "number": "7",
          "summary": "Information published."
        },
        {
          "date": "2026-06-02T01:40:32.000Z",
          "legacy_version": "8",
          "number": "8",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 nodejs 0:20.14.0-9.azl3",
                "product": {
                  "name": "azl3 nodejs 0:20.14.0-9.azl3",
                  "product_id": "10"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 nodejs 0:20.14.0-10.azl3",
                "product": {
                  "name": "azl3 nodejs 0:20.14.0-10.azl3",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 nodejs 0:20.14.0-14.azl3",
                "product": {
                  "name": "azl3 nodejs 0:20.14.0-14.azl3",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 nodejs 0:20.14.0-13.azl3",
                "product": {
                  "name": "azl3 nodejs 0:20.14.0-13.azl3",
                  "product_id": "5"
                }
              }
            ],
            "category": "product_name",
            "name": "nodejs"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 fluent-bit 0:3.1.9-4.azl3",
                "product": {
                  "name": "\u003cazl3 fluent-bit 0:3.1.9-4.azl3",
                  "product_id": "13"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 fluent-bit 0:3.1.9-4.azl3",
                "product": {
                  "name": "azl3 fluent-bit 0:3.1.9-4.azl3",
                  "product_id": "19445"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 fluent-bit 0:3.0.6-2.cbl2",
                "product": {
                  "name": "\u003ccbl2 fluent-bit 0:3.0.6-2.cbl2",
                  "product_id": "11"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 fluent-bit 0:3.0.6-2.cbl2",
                "product": {
                  "name": "cbl2 fluent-bit 0:3.0.6-2.cbl2",
                  "product_id": "19787"
                }
              }
            ],
            "category": "product_name",
            "name": "fluent-bit"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "cbl2 nodejs18 0:18.20.3-8.cbl2",
                "product": {
                  "name": "cbl2 nodejs18 0:18.20.3-8.cbl2",
                  "product_id": "9"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 nodejs18 0:18.20.3-12.cbl2",
                "product": {
                  "name": "cbl2 nodejs18 0:18.20.3-12.cbl2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 nodejs18 0:18.20.3-9.cbl2",
                "product": {
                  "name": "cbl2 nodejs18 0:18.20.3-9.cbl2",
                  "product_id": "8"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 nodejs18 0:18.20.3-10.cbl2",
                "product": {
                  "name": "cbl2 nodejs18 0:18.20.3-10.cbl2",
                  "product_id": "7"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 nodejs18 0:18.20.3-11.cbl2",
                "product": {
                  "name": "cbl2 nodejs18 0:18.20.3-11.cbl2",
                  "product_id": "4"
                }
              }
            ],
            "category": "product_name",
            "name": "nodejs18"
          },
          {
            "category": "product_name",
            "name": "cbl2 nghttp2 0:1.57.0-2.cbl2",
            "product": {
              "name": "cbl2 nghttp2 0:1.57.0-2.cbl2",
              "product_id": "12"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 nodejs 0:20.14.0-15.azl3",
            "product": {
              "name": "azl3 nodejs 0:20.14.0-15.azl3",
              "product_id": "1"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:20.14.0-9.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-10"
        },
        "product_reference": "10",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 fluent-bit 0:3.1.9-4.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-13"
        },
        "product_reference": "13",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 fluent-bit 0:3.1.9-4.azl3 as a component of Azure Linux 3.0",
          "product_id": "19445-17084"
        },
        "product_reference": "19445",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 fluent-bit 0:3.0.6-2.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-11"
        },
        "product_reference": "11",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 fluent-bit 0:3.0.6-2.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "19787-17086"
        },
        "product_reference": "19787",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nghttp2 0:1.57.0-2.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-12"
        },
        "product_reference": "12",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nodejs18 0:18.20.3-8.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:20.14.0-10.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:20.14.0-14.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nodejs18 0:18.20.3-12.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:20.14.0-15.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nodejs18 0:18.20.3-9.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nodejs18 0:18.20.3-10.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:20.14.0-13.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nodejs18 0:18.20.3-11.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-23167",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "17086-12"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "hackerone",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "19445-17084",
          "19787-17086"
        ],
        "known_affected": [
          "17084-10",
          "17084-13",
          "17086-11",
          "17086-9",
          "17084-6",
          "17084-3",
          "17086-2",
          "17086-8",
          "17086-7",
          "17084-5",
          "17086-4"
        ],
        "known_not_affected": [
          "17086-12",
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-23167 A flaw in Node.js 20\u0027s HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-23167.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-10"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-9"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-6"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-8"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-7"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-5"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-4"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-09-04T00:32:59.000Z",
          "details": "Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-13",
            "17086-11"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "17084-10",
            "17084-13",
            "17086-11",
            "17086-9",
            "17084-6",
            "17084-3",
            "17086-2",
            "17086-8",
            "17086-7",
            "17084-5",
            "17086-4"
          ]
        }
      ],
      "title": "A flaw in Node.js 20\u0027s HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."
    }
  ]
}

CVE-2025-23167 (GCVE-0-2025-23167)

Vulnerability from cvelistv5 – Published: 2025-05-19 01:25 – Updated: 2025-05-27 18:31

Summary

Severity

6.5 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Assigner

hackerone

References

1 reference

URL	Tags
https://nodejs.org/en/blog/vulnerability/may-2025…

Impacted products

1 product

Vendor	Product	Version
nodejs	node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) Affected: 20.0 , ≤ 20.19.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-23167",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T15:09:55.841520Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-444",
                "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T15:13:21.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "20.19.1",
              "status": "affected",
              "version": "20.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js 20\u0027s HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-27T18:31:36.494Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2025-23167",
    "datePublished": "2025-05-19T01:25:08.454Z",
    "dateReserved": "2025-01-12T01:00:00.648Z",
    "dateUpdated": "2025-05-27T18:31:36.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2025-23167

CVE-2025-23167 (GCVE-0-2025-23167)

Tags

Sightings

Nomenclature