CVE-2023-30589: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-30589) affects the llhttp parser in the http module of Node.js v20.2.0 and impacts all Node.js active versions: v16, v18, and v20. The vulnerability was discovered when it was found that the parser does not strictly use the CRLF sequence to delimit HTTP requests, instead accepting CR characters without LF to delimit HTTP header fields, which violates RFC7230 section 3 specifications (NVD).

The vulnerability stems from the llhttp parser's improper handling of HTTP request delimiters. According to RFC7230 section 3, only the CRLF (Carriage Return Line Feed) sequence should be used to delimit each header-field. However, the parser accepts a CR character alone without the required LF character as a valid delimiter. This implementation flaw can lead to HTTP Request Smuggling (HRS). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The primary impact of this vulnerability is the potential for HTTP Request Smuggling (HRS) attacks. This could allow attackers to bypass security controls, manipulate how web applications process sequences of HTTP requests, and potentially lead to the addition or modification of data. The vulnerability has been rated with HIGH severity due to its potential impact on data integrity (NetApp Advisory).

The vulnerability has been addressed in subsequent Node.js releases. Users are advised to upgrade to patched versions: Node.js v16.20.1, v18.16.1, and v20.3.1. Various Linux distributions have also released security updates to address this vulnerability, including Fedora which has released patches for affected packages (Fedora Update).