Fluid Attacks Database

Description

llhttp vulnerable to HTTP request smuggling The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	llhttp	>=0 <8.1.1	8.1.1
debian 11	nodejs	=12.21.0~dfsg-5 \|\| =12.22.10~dfsg-1 \|\| =12.22.10~dfsg-2 \|\| =12.22.12~dfsg-1~deb11u1 \|\| =12.22.12~dfsg-1~deb11u2 \|\| =12.22.12~dfsg-1~deb11u3 \|\| =12.22.12~dfsg-1~deb11u4 \|\| =12.22.4~dfsg-1 \|\| =12.22.5~dfsg-1 \|\| =12.22.5~dfsg-2 \|\| =12.22.5~dfsg-2~11u1 \|\| =12.22.5~dfsg-3 \|\| =12.22.5~dfsg-4 \|\| =12.22.5~dfsg-5 \|\| =12.22.5~dfsg-6 \|\| =12.22.5~dfsg-7 \|\| =12.22.7~dfsg-1 \|\| =12.22.7~dfsg-2 \|\| =12.22.9~dfsg-1 \|\| >=0 <12.22.12~dfsg-1~deb11u5	12.22.12~dfsg-1~deb11u5
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| >=0 <18.19.0+dfsg-6~deb12u1	18.19.0+dfsg-6~deb12u1
debian 13	nodejs	>=0 <18.13.0+dfsg1-1.1	18.13.0+dfsg1-1.1
debian 14	nodejs	>=0 <18.13.0+dfsg1-1.1	18.13.0+dfsg1-1.1
rpm rhel9.0	nodejs	<1:16.20.2-1.el9_0	1:16.20.2-1.el9_0
rpm rhel8	nodejs	-	-
rpm rhel8.6	nodejs	<1:16.20.2-2.module+el8.6.0+19897+9590a839	1:16.20.2-2.module+el8.6.0+19897+9590a839
rpm rhel9	nodejs	<1:16.20.1-1.el9_2	1:16.20.1-1.el9_2

Aliases

1. CVE-2023-305892. NVD-2023-305893. OSV-2023-305894. OSV-DEBIAN-2023-305895. GCVE-2023-305896. lists.debian.org7. SECURITY-TRACKER-CVE-2023-30589

References

1. https://hackerone.com/reports/20018732. https://github.com/nodejs/llhttp/releases/tag/release%2Fv8.1.13. https://lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE4. https://lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF5. https://lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY6. https://lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE7. https://lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE58. https://lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A769. https://security.netapp.com/advisory/ntap-20230803-000910. https://security.netapp.com/advisory/ntap-20240621-0006