Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-30589

Published: 01/07/2023 Updated: 12/12/2023
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Node.js

Vulnerability Summary

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nodejs node.js

fedoraproject fedora 37

fedoraproject fedora 38

Vendor Advisories

Debian CVElist Bug Report Logs: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Debian Bug report logs - #1039990 nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 30 Jun 2023 17:21:02 UTC ...
Red Hat: Moderate: nodejs:16 security, bug fix, and enhancement update
Synopsis Moderate: nodejs:16 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...
Red Hat: Important: nodejs security, bug fix, and enhancement update
Synopsis Important: nodejs security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat P ...
Red Hat: Moderate: nodejs:18 security, bug fix, and enhancement update
Synopsis Moderate: nodejs:18 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...
Red Hat: Moderate: nodejs security, bug fix, and enhancement update
Synopsis Moderate: nodejs security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated th ...
Red Hat: Important: nodejs:16 security, bug fix, and enhancement update
Synopsis Important: nodejs:16 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 86 Extended Update ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: The llhttp parser in the http module in Node v2020 does not strictly use the CRLF sequence to delimit HTTP requests This can lead to HTTP Request Smuggling (HRS) The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser According to RFC7230 sectio ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Analyzer
Hitachi Ops Center Analyzer contains the following vulnerabilities: CVE-2022-43548, CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807, CVE-2023-30581, CVE-2023-30585, CVE-2023-30588, CVE-2023-30589, CVE-2023-30590 Affected products and versions are listed below Please upgrade your version to the appropriate versio ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/98c399e36f6402fb998b84a1a7aaa7b0
Critical Infrastructure Sectors: Critical Manufacturing

References

NVD-CWE-Otherhttps://hackerone.com/reports/2001873https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/https://security.netapp.com/advisory/ntap-20230803-0009/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039990https://nvd.nist.govhttps://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15https://access.redhat.com/security/cve/cve-2023-30589
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook