mirror of
https://github.com/0xMarcio/cve.git
synced 2026-05-29 16:29:28 +02:00
0xMarcio
2.5 KiB
2.5 KiB
CVE-2025-23167
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n.This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.Impact:* This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.
POC
Reference
No PoCs from references.
Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/KshitijPatil08/Elevate-Task3
- https://github.com/abhisek3122/CVE-2025-23167
- https://github.com/mrk336/ElkStack-Secured-From-Logs-to-CVEs
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/sharmapintu987654321-boop/Nessus-Scan-Reports