CVE-2023-30589: HTTP Request Smuggling Vulnerability in Node.js Due to Non-Strict CRLF Sequence in llhttp Parser

The HTTP module in Node.js version v20.2. has been found to contain a vulnerability that allows HTTP Request Smuggling (HRS). This vulnerability, assigned as CVE-2023-30589, originates from the llhttp parser’s non-stringent use of the CRLF (Carriage Return/Line Feed) sequence to delimit HTTP requests. According to the RFC723 section 3, only the CRLF sequence should serve as the delimiter for each header-field within HTTP requests. However, the llhttp parser accepts CR characters without LF as sufficient for HTTP header field delimitation. This vulnerability affects all active Node.js versions, including v16, v18, and v20.

Exploit Details

HTTP Request Smuggling is a technique in which an attacker manipulates the HTTP request to bypass security controls, gain unauthorized access, or potentially launch further attacks on web application users. Due to the vulnerability in the llhttp parser, attackers can exploit the non-strict usage of CRLF by sending HTTP requests with only CR instead of the CRLF sequence, leading to HRS.

To demonstrate the vulnerability in action, consider the following code snippet in Node.js

const http = require('http');

const server = http.createServer((req, res) => {
  console.log('Headers:', req.headers);
  res.writeHead(200, { 'Content-Type': 'text/plain' });
  res.end('Request processed\n');
});

server.listen(808, () => {
  console.log('Server listening on port 808');
});

In this example, a simple HTTP server is instantiated. Ideally, all incoming HTTP requests should adhere to the CRLF sequence as the header-field delimiter. However, due to CVE-2023-30589, the server will also accept and process requests where only the CR character is used, resulting in potential HTTP Request Smuggling.

For a deeper understanding of the issue, refer to the following resources

1. RFC723, Section 3: "Message Syntax and Routing" - https://tools.ietf.org/html/rfc723#section-3
2. Node.js Repository on GitHub - https://github.com/nodejs/node

Mitigation

As of now, there is no official patch released to address this vulnerability in the llhttp parser. However, developers and administrators can implement the following workarounds to mitigate the risk of HTTP Request Smuggling:

1. Use a reverse proxy or load balancer that adheres to the RFC723 specifications and sanitizes any incoming requests with malformed CRLF sequences before they reach the Node.js server.
2. Apply strict input validation and sanitization at the application level to reject any requests containing only CR characters in place of the CRLF sequence.

Conclusion

CVE-2023-30589 is a significant vulnerability affecting the llhttp parser in the HTTP module of Node.js, which can result in HTTP Request Smuggling. It is crucial for developers and administrators to be aware of this issue and implement the suggested mitigation strategies until an official patch is released.

Timeline

Published on: 07/01/2023 00:15:00 UTC
Last modified on: 07/21/2023 19:18:00 UTC