CVE-2023-30589
nodejs - security update
7.5
HIGH
CVSS 3.1
EPSS 1.9%
Description
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
How to fix CVE-2023-30589
To remediate CVE-2023-30589, upgrade the affected package to a fixed version below.
- —upgrade to 16.20.1 or later
- —upgrade to 16.20.1 or later
- —upgrade to 12.22.12~dfsg-1~deb11u5 or later
- —upgrade to 12.22.12~dfsg-1~deb11u5 or later
- —upgrade to 8.1.1 or later
Is CVE-2023-30589 being exploited?
Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 8.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |