vulnerability
Arch Linux: Access restriction bypass (CVE-2025-23167)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:P/I:P/A:N) | May 19, 2025 | Jul 11, 2025 | Nov 27, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
May 19, 2025
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.
The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination.
Solution
arch-linux-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.