The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-23167

CVE-2025-23167: Node.js 20 Auth Bypass Vulnerability

CVE-2025-23167 is an authentication bypass flaw in Node.js 20's HTTP parser that enables request smuggling attacks. This article covers the technical details, affected versions, security impact, and mitigation.

Updated: January 22, 2026

CVE-2025-23167 Overview

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This HTTP Request Smuggling vulnerability (CWE-444) creates an inconsistency between how front-end proxies and back-end Node.js servers interpret HTTP request boundaries, enabling attackers to bypass proxy-based access controls and submit unauthorized requests.

The vulnerability stems from a permissive implementation in the llhttp parsing library, which incorrectly accepts malformed header termination sequences. This parsing discrepancy is particularly dangerous in environments where reverse proxies or load balancers are deployed in front of Node.js applications for security enforcement.

Critical Impact

Attackers can exploit this HTTP Request Smuggling vulnerability to bypass proxy-level security controls, access restricted endpoints, and potentially poison web caches or hijack user sessions in affected Node.js 20.x deployments.

Affected Products

  • Node.js 20.x (versions prior to the llhttp v9 upgrade)
  • Applications using Node.js 20's built-in HTTP parser behind reverse proxies
  • Environments relying on proxy-based access control for Node.js services

Discovery Timeline

  • 2025-05-19 - CVE CVE-2025-23167 published to NVD
  • 2025-05-19 - Last updated in NVD database

Technical Details for CVE-2025-23167

Vulnerability Analysis

This vulnerability exploits a fundamental inconsistency in how different HTTP parsers interpret request boundaries. HTTP/1.1 specification mandates that headers must be terminated with a \r\n\r\n (CRLF CRLF) sequence. However, the affected versions of llhttp in Node.js 20 incorrectly accept \r\n\rX as a valid header terminator, where X represents any character.

When a front-end proxy strictly adheres to the HTTP specification while the back-end Node.js server accepts malformed sequences, attackers can craft requests that are interpreted differently by each component. This desynchronization allows the attacker to "smuggle" a second request within what the proxy perceives as a single request.

The impact is particularly severe for applications that rely on proxy-level security controls, as attackers can effectively bypass authentication, authorization, and other security measures implemented at the proxy layer.

Root Cause

The root cause lies in the permissive parsing behavior of llhttp versions prior to v9. The parser's state machine did not properly validate the complete \r\n\r\n sequence before transitioning from header parsing to body parsing. This allowed partially-formed termination sequences (\r\n\rX) to be accepted, creating an exploitable discrepancy with stricter HTTP parsers commonly used in proxy servers.

The fix in llhttp v9 enforces strict validation of the header termination sequence, ensuring that only the specification-compliant \r\n\r\n pattern is accepted.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker crafts a malicious HTTP request with an improperly terminated header section using \r\n\rX. When this request passes through a reverse proxy that strictly validates HTTP syntax, the proxy sees one request boundary while the Node.js back-end interprets the data differently, treating subsequent bytes as part of a new, smuggled request.

This enables several attack scenarios:

The attacker can bypass proxy-based access controls by smuggling requests to restricted endpoints that the proxy would normally block. Additionally, web cache poisoning becomes possible when the smuggled request causes the cache to store malicious content under a legitimate URL. Session hijacking may occur if the smuggled request can be associated with another user's connection.

Detection Methods for CVE-2025-23167

Indicators of Compromise

  • Unusual HTTP requests containing malformed header termination sequences (\r\n\rX patterns)
  • Log discrepancies between proxy access logs and Node.js application logs indicating request count mismatches
  • Unexpected access to restricted endpoints from seemingly legitimate client connections
  • Cache behavior anomalies where stored responses don't match expected content

Detection Strategies

  • Deploy network intrusion detection rules to identify HTTP requests with malformed CRLF sequences in header sections
  • Implement log correlation between front-end proxy and back-end Node.js servers to detect request count discrepancies
  • Monitor for access to restricted endpoints that bypass normal authentication flows
  • Use application-level logging to track header parsing behavior and flag unusual patterns

Monitoring Recommendations

  • Enable detailed HTTP request logging at both proxy and application layers for forensic analysis
  • Configure alerting on request count mismatches between proxy and application server logs
  • Monitor Node.js version deployments across infrastructure to identify vulnerable 20.x installations
  • Implement regular security audits of proxy-to-backend communication patterns

How to Mitigate CVE-2025-23167

Immediate Actions Required

  • Upgrade Node.js 20.x to a version that includes llhttp v9 or later
  • Review and audit proxy configurations to ensure strict HTTP compliance validation
  • Implement network segmentation to limit exposure of vulnerable Node.js services
  • Consider deploying a Web Application Firewall (WAF) with HTTP request smuggling detection capabilities

Patch Information

The vulnerability has been addressed by upgrading the llhttp parser to version 9, which enforces correct header termination validation. Users should upgrade to the latest Node.js 20.x release that includes this fix. For detailed patch information, refer to the Node.js Security Release Blog.

Workarounds

  • Configure front-end proxies to normalize and strictly validate all HTTP requests before forwarding to Node.js backends
  • Implement connection-level request limits at the proxy layer to reduce the impact of smuggling attacks
  • Deploy multiple layers of access control, including both proxy-based and application-level authentication
  • Consider temporarily switching to HTTP/2 between proxy and backend if supported, as it is not affected by this parsing issue
  • Apply rate limiting and connection timeouts to minimize the window for exploitation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechNode.js
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-444
  • Technical References
  • Node.js Security Release Blog
  • Related CVEs
  • CVE-2026-21715: Node.js Privilege Escalation Vulnerability
  • CVE-2026-21713: Node.js Timing Attack Vulnerability
  • CVE-2026-26974: Slyde Presentation Tool RCE Vulnerability
  • CVE-2025-59465: Node.js HTTP/2 HPACK DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English