CVE-2023-30589

Aliases:GHSA-cggh-pq45-6h9xBIT-node-2023-30589BIT-node-min-2023-30589
Advisory lineage Upstream: 0 Downstream: 21
Modified
Published: 30 Jun 2023, 23:39
Last modified:04 Nov 2025, 16:10

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.92% LOW
2% probability +0.15%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

30 Jun 2023, 23:39
Published
Vulnerability first disclosed
04 Nov 2025, 16:10
Last Modified
Vulnerability information updated

Description

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 1.92% Percentile: 84%

Affected Systems

  • fedoraprojectfedora

    37 | 38

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 16.0, < 16.20.1 | ≥ 17.0, < 17.* | ≥ 18.0, < 18.16.1 | ≥ 19.0, < 19.* | ≥ 20.0, < 20.3.1

  • nodejsnode.js

    ≥ 16.0.0, < 16.20.1 | ≥ 18.0.0, < 18.16.1 | ≥ 20.0.0, < 20.3.1

  • Npmllhttp

    < 8.1.1

References (21)