{"api_version":"1","generated_at":"2026-04-22T23:09:17+00:00","cve":"CVE-2023-30589","urls":{"html":"https://cve.report/CVE-2023-30589","api":"https://cve.report/api/cve/CVE-2023-30589.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-30589","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-30589"},"summary":{"title":"CVE-2023-30589","description":"The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r\n\r\nThe CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-07-01 00:15:00","updated_at":"2023-12-12 14:33:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/2001873","name":"https://hackerone.com/reports/2001873","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: nodejs18-18.16.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: python-aiohttp-3.8.5-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: python-aiohttp-3.8.5-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/","refsource":"MISC","tags":["Mailing List"],"title":"[SECURITY] Fedora 38 Update: nodejs16-16.20.1-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0009/","name":"https://security.netapp.com/advisory/ntap-20230803-0009/","refsource":"MISC","tags":[],"title":"CVE-2023-30589 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/","refsource":"MISC","tags":["Mailing List"],"title":"[SECURITY] Fedora 38 Update: nodejs18-18.16.1-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/","refsource":"MISC","tags":["Mailing List"],"title":"[SECURITY] Fedora 37 Update: nodejs16-16.20.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-30589","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30589","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"16.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"18.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"20.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"30589","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"20.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-30589","qid":"160824","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-4330)"},{"cve":"CVE-2023-30589","qid":"160835","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2023-4331)"},{"cve":"CVE-2023-30589","qid":"160852","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-4537)"},{"cve":"CVE-2023-30589","qid":"160853","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-4536)"},{"cve":"CVE-2023-30589","qid":"241874","title":"Red Hat Update for nodejs security (RHSA-2023:4331)"},{"cve":"CVE-2023-30589","qid":"241876","title":"Red Hat Update for nodejs:18 security (RHSA-2023:4330)"},{"cve":"CVE-2023-30589","qid":"241930","title":"Red Hat Update for nodejs:16 security (RHSA-2023:4537)"},{"cve":"CVE-2023-30589","qid":"241939","title":"Red Hat Update for nodejs:18 security (RHSA-2023:4536)"},{"cve":"CVE-2023-30589","qid":"242085","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5361)"},{"cve":"CVE-2023-30589","qid":"242132","title":"Red Hat Update for nodejs security (RHSA-2023:5533)"},{"cve":"CVE-2023-30589","qid":"284323","title":"Fedora Security Update for nodejs18 (FEDORA-2023-6b866fbe84)"},{"cve":"CVE-2023-30589","qid":"284328","title":"Fedora Security Update for nodejs16 (FEDORA-2023-61e40652be)"},{"cve":"CVE-2023-30589","qid":"284329","title":"Fedora Security Update for nodejs16 (FEDORA-2023-608a1417d3)"},{"cve":"CVE-2023-30589","qid":"284330","title":"Fedora Security Update for nodejs18 (FEDORA-2023-cdddce304a)"},{"cve":"CVE-2023-30589","qid":"284370","title":"Fedora Security Update for llhttp (FEDORA-2023-f75af676f2)"},{"cve":"CVE-2023-30589","qid":"284409","title":"Fedora Security Update for llhttp (FEDORA-2023-105880e618)"},{"cve":"CVE-2023-30589","qid":"285303","title":"Fedora Security Update for llhttp (FEDORA-2023-ad76deb86e)"},{"cve":"CVE-2023-30589","qid":"355624","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-237"},{"cve":"CVE-2023-30589","qid":"378945","title":"Oracle Java Standard Edition (SE) Critical Patch Update - October 2023 (CPUOCT2023)"},{"cve":"CVE-2023-30589","qid":"379452","title":"IBM Cognos Analytics Multiple Vulnerabilities (7123154)"},{"cve":"CVE-2023-30589","qid":"503428","title":"Alpine Linux Security Update for openjdk17"},{"cve":"CVE-2023-30589","qid":"506138","title":"Alpine Linux Security Update for openjdk17"},{"cve":"CVE-2023-30589","qid":"6000404","title":"Debian Security Update for nodejs (DSA 5589-1)"},{"cve":"CVE-2023-30589","qid":"754181","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2023:2861-1)"},{"cve":"CVE-2023-30589","qid":"907096","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (27278-1)"},{"cve":"CVE-2023-30589","qid":"907331","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (27279-1)"},{"cve":"CVE-2023-30589","qid":"941202","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:4330)"},{"cve":"CVE-2023-30589","qid":"941203","title":"AlmaLinux Security Update for nodejs (ALSA-2023:4331)"},{"cve":"CVE-2023-30589","qid":"941221","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:4537)"},{"cve":"CVE-2023-30589","qid":"941222","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:4536)"},{"cve":"CVE-2023-30589","qid":"960969","title":"Rocky Linux Security Update for nodejs:16 (RLSA-2023:4537)"},{"cve":"CVE-2023-30589","qid":"961042","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:4536)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-30589","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r\n\r\nThe CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20\r\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Node.js","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_affected":"<","version_name":"v20.3.1","version_value":"v20.3.1"},{"version_affected":"<","version_name":"v18.16.1","version_value":"v18.16.1"},{"version_affected":"<","version_name":"v16.20.1","version_value":"v16.20.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://hackerone.com/reports/2001873","refsource":"MISC","name":"https://hackerone.com/reports/2001873"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0009/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230803-0009/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/"}]}},"nvd":{"publishedDate":"2023-07-01 00:15:00","lastModifiedDate":"2023-12-12 14:33:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"20.0.0","versionEndExcluding":"20.3.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndExcluding":"16.20.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"18.0.0","versionEndExcluding":"18.16.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}