Overview
The llhttp parser in the http module in multiple versions of Node.js does not strictly use the CRLF sequence to delimit HTTP requests, which can lead to HTTP Request Smuggling (HRS).
HTTP Request Smuggling interferes with the proper fulfillment of requests by an HTTP server. The possible ramifications of this exploit include allowing unauthorized access to a system, allowing an attacker to modify data (in databases, user accounts and other records), session hijacking, information disclosure, cache poisoning and denial of service.
This issue affects the following versions of Node.js: 16.0.0 up to (but excluding) 16.20.1, 18.0.0 up to (but excluding) 18.16.1 and 20.0.0 up to (but excluding) 20.3.1
Details
Module Info
- Product: Node.js
- Affected packages: Node.js (via llhttp)
- Affected versions: >=16.0.0 <16.20.1, >=18.0.0 <18.16.1, >=20.0.0 <20.3.1
- GitHub repository: https://github.com/nodejs/node
- Published packages: https://nodejs.org/en/download
- Package manager: -
Vulnerability Info
This high-severity vulnerability is found in many versions of the llhttp library. Although RFC7230 section 3 indicates that only the CRLF sequence should delimit each header field, vulnerable versions of the library allow just the CR character (without LF) to delimit HTTP header fields.
Since this library is bundled with Node.js, many versions of Node.js in the v16, v18 and v20 branches are affected.
There is no workaround.
Steps To Reproduce
- Install a vulnerable version of Node.js on a server.
- Craft an HTTP request that, instead of using \r\n (CRLF), uses just \r (CR) to end header fields. In the example below, the first request ends with only \r, potentially allowing the second request to be smuggled (hidden to, or misinterpreted by, certain layers of the web server). The second request is formed correctly, because it properly terminates with \r\n.
POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11\r
Cookie: session=abc123\r
\r
data=payload1
POST /secret HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
\r\n
data=payload2
Mitigation
Users of Node.js versions that are still under development or maintenance, should upgrade to the latest version of the corresponding release.
Users of Node.js versions that are no longer supported should apply one of te following mitigations:
- Upgrade affected applications to supported versions of Node.js.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Additional Resources
- NIST entry: https://nvd.nist.gov/vuln/detail/CVE-2023-30589
- GitHub advisory: https://github.com/advisories/GHSA-cggh-pq45-6h9x