CVE-2023-30589 — HIGH (7.5)

Q: How severe is CVE-2023-30589?

CVE-2023-30589 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-30589?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora.

Vulnerability Description

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 16.0.0, < 16.20.1
Fedoraproject	Fedora	37

References

https://hackerone.com/reports/2001873ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.netapp.com/advisory/ntap-20230803-0009/Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://hackerone.com/reports/2001873ExploitIssue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]PatchThird Party Advisory

FAQ

What is CVE-2023-30589?

CVE-2023-30589 is a vulnerability with a CVSS score of 7.5 (HIGH). The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) i...

How severe is CVE-2023-30589?

CVE-2023-30589 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-30589?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora.