Listen to this Post
How the CVE Works:
CVE-2023-30588 is an HTTP request smuggling vulnerability in Node.js due to improper parsing of chunked transfer encoding headers. Attackers can exploit this by sending malformed HTTP requests with conflicting `Content-Length` and `Transfer-Encoding` headers. Node.js incorrectly processes these headers, leading to request smuggling where a single request is interpreted as multiple requests by the backend server. This allows attackers to bypass security controls, hijack sessions, or poison caches. The flaw arises from inconsistencies in the `llhttp` parser, which fails to enforce strict header validation.
DailyCVE Form:
Platform: Node.js
Version: <18.16.1, <20.3.1
Vulnerability: HTTP Request Smuggling
Severity: Critical
Date: 2023-06-22
Prediction: Patch expected by 2023-07-15
What Undercode Say:
curl -H "Transfer-Encoding: chunked" -H "Content-Length: 0" http://target nmap -p 443 --script http-request-smuggling <target>
How Exploit:
1. Craft conflicting `Content-Length` and `Transfer-Encoding` headers.
2. Send malformed requests to Node.js servers.
3. Bypass authentication or poison caches.
Protection from this CVE:
- Update to Node.js >=18.16.1 or >=20.3.1.
- Use a reverse proxy with strict HTTP parsing.
- Disable chunked encoding if unused.
Impact:
- Session hijacking
- Cache poisoning
- Unauthorized data access
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
