{"id":"AZL-65063","summary":"CVE-2025-23167 affecting package nodejs18 18.20.3-11","details":"A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.","modified":"2026-04-21T04:32:39.659552Z","published":"2025-05-19T02:15:17Z","upstream":["CVE-2025-23167"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23167"}],"affected":[{"package":{"name":"nodejs18","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/nodejs18"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"18.20.3-11"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-65063.json"}}],"schema_version":"1.7.5"}