Primary

Context

Node.js 20 HTTP Header Parsing Flaw Allows Request Smuggling

Vulnerability

Patched

A vulnerability in Node.js version 20's HTTP parser permits improper termination of HTTP/1 headers. Instead of the required double line break, headers can be incorrectly ended with a single line break followed by a character. This flaw enables request smuggling, allowing attackers to bypass proxy-based access controls and send unauthorized requests. The vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade, which addressed the issue by enforcing correct header termination.

Impact

Exploitation of this vulnerability could lead to request smuggling, allowing unauthorized requests to be sent while bypassing proxy-based access controls.

Remediation

Users can upgrade to Node.js versions 20.19.2, 22.15.1, 23.11.1, or 24.0.2 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js 20 HTTP Header Parsing Flaw Allows Request Smuggling

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating