Rapid7

vulnerability

Oracle Linux: CVE-2023-30589: ELSA-2023-12933: GraalVM Security update (IMPORTANT) (Multiple Advisories)

Try Surface Command
Back to search
Severity
8
CVSS
(AV:N/AC:M/Au:N/C:P/I:C/A:P)
Published
Jun 20, 2023
Added
Aug 2, 2023
Modified
Dec 3, 2025

Description

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

Solutions

oracle-linux-upgrade-graalvm-community-17-espressooracle-linux-upgrade-graalvm-community-17-espresso-llvmoracle-linux-upgrade-graalvm-community-17-icu4joracle-linux-upgrade-graalvm-community-17-javascriptoracle-linux-upgrade-graalvm-community-17-jdkoracle-linux-upgrade-graalvm-community-17-libpolyglotoracle-linux-upgrade-graalvm-community-17-llvmoracle-linux-upgrade-graalvm-community-17-llvm-toolchainoracle-linux-upgrade-graalvm-community-17-native-imageoracle-linux-upgrade-graalvm-community-17-native-image-llvm-backendoracle-linux-upgrade-graalvm-community-17-nodejsoracle-linux-upgrade-graalvm-community-17-nodejs-develoracle-linux-upgrade-graalvm-community-17-polyglotoracle-linux-upgrade-graalvm-community-17-pythonoracle-linux-upgrade-graalvm-community-17-python-develoracle-linux-upgrade-graalvm-community-17-regexoracle-linux-upgrade-graalvm-community-17-rubyoracle-linux-upgrade-graalvm-community-17-ruby-develoracle-linux-upgrade-graalvm-community-17-toolsoracle-linux-upgrade-graalvm-community-17-wasmoracle-linux-upgrade-graalvm-community-21-jdkoracle-linux-upgrade-graalvm-community-21-native-imageoracle-linux-upgrade-nodejsoracle-linux-upgrade-nodejs-develoracle-linux-upgrade-nodejs-docsoracle-linux-upgrade-nodejs-full-i18noracle-linux-upgrade-nodejs-libsoracle-linux-upgrade-nodejs-nodemonoracle-linux-upgrade-nodejs-packagingoracle-linux-upgrade-nodejs-packaging-bundleroracle-linux-upgrade-npm

References

    Title
    Rapid7 Labs

    2026 Global Threat Landscape Report

    The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

    Get report