CVE-2025-23167 Node.js HTTP Request Smuggling via llhttp

CVE-2025-23167 is a request smuggling vulnerability affecting Node.js version 20.x. The vulnerability stems from the llhttp HTTP parser accepting \r\n\rX as a valid HTTP/1 header terminator, instead of requiring the correct \r\n\r\n sequence. This inconsistency allows attackers to craft malicious HTTP requests that are interpreted differently by the Node.js server and any intermediary proxies. This discrepancy can be exploited to bypass security controls implemented at the proxy level and inject unauthorized requests into the application. The issue is resolved by upgrading the llhttp library to version 9, which enforces strict header termination. This vulnerability poses a significant risk to applications using Node.js 20.x without the patched llhttp library, potentially leading to unauthorized access or data manipulation.

Attack Chain

1. The attacker crafts an HTTP/1 request with a malformed header termination sequence, using \r\n\rX instead of \r\n\r\n.
2. The attacker sends the malicious HTTP request through a proxy server.
3. The proxy server, expecting a properly formed request, forwards a portion of the malicious request to the backend Node.js server.
4. The Node.js server, running a vulnerable version of llhttp, incorrectly parses the malformed header and processes the request, leaving the remaining part of the malicious request unprocessed.
5. The attacker crafts a second, unauthorized request and appends it to the unprocessed portion of the first malicious request.
6. The Node.js server processes the remaining data as a new, independent request, effectively smuggling the unauthorized request.
7. The smuggled request bypasses the proxy’s access controls, as the proxy only sees the initial, seemingly legitimate request.
8. The attacker gains unauthorized access to resources or functionality on the Node.js server, potentially leading to data breaches or service disruption.

Impact

This vulnerability affects Node.js 20.x users prior to the llhttp v9 upgrade. Successful exploitation allows attackers to bypass proxy-based access controls and submit unauthorized requests. The impact of successful request smuggling can include unauthorized access to sensitive data, modification of application data, or execution of arbitrary code on the server. The number of potential victims is significant given the widespread adoption of Node.js for web application development.

Recommendation

• Upgrade llhttp to version 9 or later in Node.js 20.x to resolve CVE-2025-23167.
• Deploy the Sigma rule “Detect CVE-2025-23167 Node.js HTTP Smuggling Attempt” to identify requests with malformed header termination.
• Monitor web server logs for HTTP requests containing \r\n\rX in the header section to detect potential exploitation attempts.