{"id":"CVE-2025-23167","details":"A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.","aliases":["BIT-node-2025-23167","BIT-node-min-2025-23167"],"modified":"2026-03-23T04:59:36.956415123Z","published":"2025-05-19T02:15:17Z","related":["CGA-9v74-2496-2p2r","MGASA-2025-0161","SUSE-SU-2025:02039-1","SUSE-SU-2025:02045-1"],"references":[{"type":"ARTICLE","url":"https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"}],"schema_version":"1.7.3"}