Vulnerability Details : CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
Products affected by CVE-2023-30589
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-30589
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-30589
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
N/A
|
N/A
|
Oracle:CPUOct2023 |
References for CVE-2023-30589
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
[SECURITY] Fedora 38 Update: python-aiohttp-3.8.5-1.fc38 - package-announce - Fedora Mailing-ListsPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
[SECURITY] Fedora 38 Update: nodejs18-18.16.1-1.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
[SECURITY] Fedora 37 Update: python-aiohttp-3.8.5-1.fc37 - package-announce - Fedora Mailing-ListsPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
[SECURITY] Fedora 38 Update: nodejs16-16.20.1-1.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
[SECURITY] Fedora 37 Update: nodejs16-16.20.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://hackerone.com/reports/2001873
Node.js | Report #2001873 - HTTP Request Smuggling via Empty headers separated by CR | HackerOneExploit;Issue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
[SECURITY] Fedora 37 Update: nodejs18-18.16.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://security.netapp.com/advisory/ntap-20230803-0009/
CVE-2023-30589 Node.js Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to