BIT-node-2025-23167

BIT-node-2025-23167 PUBLISHED CVSS 6.5 MEDIUM

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

Risk Scores

CVSS v3.0

6.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Bitnami	node	0, 0, 0

Timeline

May 21, 2025 CVE Published
May 21, 2025 CVE Updated

References

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases url
https://nvd.nist.gov/vuln/detail/CVE-2025-23167 url

Open in Interactive Console →