CVE-2025-23167: 
npm vulnerability analysis and mitigation

A medium severity vulnerability was discovered in Node.js 20's HTTP parser (llhttp), identified as CVE-2025-23167. The vulnerability was disclosed on May 14, 2025, affecting Node.js 20.x versions prior to the llhttp v9 upgrade. The flaw allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n sequence (Node Blog, Wiz Report).

The vulnerability stems from improper HTTP header block termination in llhttp, where the parser accepts incorrect termination sequences for HTTP/1 headers. This inconsistency in header termination handling creates a security weakness in the HTTP parsing mechanism. The vulnerability has been assigned a CVSS v3.0 base score of 6.5 (MEDIUM) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue has been classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) (Wiz Report).

The vulnerability enables request smuggling attacks, which can allow attackers to bypass proxy-based access controls and submit unauthorized requests. This could potentially lead to unauthorized access to protected resources and exposure of sensitive information. The impact is limited to Node.js 20.x users prior to the llhttp v9 upgrade (Node Blog, Wiz Report).

The issue has been resolved by upgrading llhttp to version 9, which enforces correct header termination. Users are advised to update to Node.js v20.19.2 or later versions that include this fix. The fix was released as part of the May 14, 2025 security releases (Node Blog).