Login Sign Up

CVE-2023-30589

7.5 HIGH

📋 TL;DR

This vulnerability in Node.js's llhttp parser allows HTTP Request Smuggling (HRS) by accepting carriage return (CR) characters alone instead of requiring CRLF sequences to delimit HTTP headers. Attackers can exploit this to bypass security controls, poison caches, or hijack user sessions. All Node.js v16, v18, and v20 installations using the http module are affected.

💻 Affected Systems

Products:
  • Node.js
Versions: v16.x, v18.x, v20.x (specifically v20.2.0 mentioned, but all active versions impacted)
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using Node.js's built-in http/https modules. Applications behind proxies or load balancers are particularly vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers smuggle malicious requests through front-end proxies to directly attack back-end systems, potentially leading to cache poisoning, session hijacking, credential theft, or web cache deception.

🟠

Likely Case

HTTP request smuggling that bypasses security controls like WAFs or load balancers, enabling attacks against internal applications or other users.

🟢

If Mitigated

Limited impact if proper request validation and strict HTTP protocol enforcement are implemented at multiple layers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques and the ability to send crafted HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js v20.3.0, v18.16.1, v16.20.1

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/

Restart Required: Yes

Instructions:

1. Check current Node.js version: node --version
2. Update to patched version: npm install -g n && n [version] OR download from nodejs.org
3. Restart all Node.js applications and services

🔧 Temporary Workarounds

HTTP Request Validation Middleware

all

Implement custom middleware to validate HTTP headers strictly require CRLF sequences

Reverse Proxy Validation

all

Configure reverse proxies (nginx, Apache, HAProxy) to normalize and validate HTTP requests before forwarding to Node.js

🧯 If You Can't Patch

  • Deploy WAF rules to detect and block HTTP requests with malformed header delimiters
  • Implement strict HTTP protocol validation at load balancer or reverse proxy layer

🔍 How to Verify

Check if Vulnerable:

Check if Node.js version is between v16.0.0-16.20.0, v18.0.0-18.16.0, or v20.0.0-20.2.0

Check Version:

node --version

Verify Fix Applied:

Confirm Node.js version is v16.20.1+, v18.16.1+, or v20.3.0+

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with malformed headers
  • Unexpected 400/500 errors from backend systems
  • Mismatched request/response sequences

Network Indicators:

  • HTTP traffic containing CR characters without LF in headers
  • Abnormal request smuggling patterns

SIEM Query:

http.headers contains "\r" AND NOT http.headers contains "\r\n"

📊 Metadata

CVE ID: CVE-2023-30589
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: July 1, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON