{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/llhttp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-23167"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js (20.x)","llhttp"],"_cs_severities":["high"],"_cs_tags":["cve","request smuggling","nodejs","http"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-23167 is a request smuggling vulnerability affecting Node.js version 20.x. The vulnerability stems from the \u003ccode\u003ellhttp\u003c/code\u003e HTTP parser accepting \u003ccode\u003e\\r\\n\\rX\u003c/code\u003e as a valid HTTP/1 header terminator, instead of requiring the correct \u003ccode\u003e\\r\\n\\r\\n\u003c/code\u003e sequence. This inconsistency allows attackers to craft malicious HTTP requests that are interpreted differently by the Node.js server and any intermediary proxies. This discrepancy can be exploited to bypass security controls implemented at the proxy level and inject unauthorized requests into the application. The issue is resolved by upgrading the \u003ccode\u003ellhttp\u003c/code\u003e library to version 9, which enforces strict header termination. This vulnerability poses a significant risk to applications using Node.js 20.x without the patched \u003ccode\u003ellhttp\u003c/code\u003e library, potentially leading to unauthorized access or data manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP/1 request with a malformed header termination sequence, using \u003ccode\u003e\\r\\n\\rX\u003c/code\u003e instead of \u003ccode\u003e\\r\\n\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious HTTP request through a proxy server.\u003c/li\u003e\n\u003cli\u003eThe proxy server, expecting a properly formed request, forwards a portion of the malicious request to the backend Node.js server.\u003c/li\u003e\n\u003cli\u003eThe Node.js server, running a vulnerable version of \u003ccode\u003ellhttp\u003c/code\u003e, incorrectly parses the malformed header and processes the request, leaving the remaining part of the malicious request unprocessed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a second, unauthorized request and appends it to the unprocessed portion of the first malicious request.\u003c/li\u003e\n\u003cli\u003eThe Node.js server processes the remaining data as a new, independent request, effectively smuggling the unauthorized request.\u003c/li\u003e\n\u003cli\u003eThe smuggled request bypasses the proxy\u0026rsquo;s access controls, as the proxy only sees the initial, seemingly legitimate request.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources or functionality on the Node.js server, potentially leading to data breaches or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability affects Node.js 20.x users prior to the \u003ccode\u003ellhttp\u003c/code\u003e v9 upgrade. Successful exploitation allows attackers to bypass proxy-based access controls and submit unauthorized requests. The impact of successful request smuggling can include unauthorized access to sensitive data, modification of application data, or execution of arbitrary code on the server. The number of potential victims is significant given the widespread adoption of Node.js for web application development.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ellhttp\u003c/code\u003e to version 9 or later in Node.js 20.x to resolve CVE-2025-23167.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2025-23167 Node.js HTTP Smuggling Attempt\u0026rdquo; to identify requests with malformed header termination.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing \u003ccode\u003e\\r\\n\\rX\u003c/code\u003e in the header section to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:53:45Z","date_published":"2026-05-31T07:53:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-23167-nodejs-http-smuggling/","summary":"CVE-2025-23167 describes a request smuggling vulnerability in Node.js 20's HTTP parser due to improper header termination, allowing attackers to bypass proxy access controls.","title":"CVE-2025-23167 Node.js HTTP Request Smuggling via llhttp","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-23167-nodejs-http-smuggling/"}],"language":"en","title":"CraftedSignal Threat Feed — Llhttp","version":"https://jsonfeed.org/version/1.1"}