CVE-2025-23167 is a medium-severity vulnerability affecting Node.js version 20.x prior to the upgrade of the embedded HTTP parser library, llhttp, to version 9. The flaw lies in the HTTP/1 header parsing logic, where the parser incorrectly accepts an improper header termination sequence '\r\n\rX' instead of the mandated '\r\n\r\n'. This parsing inconsistency enables HTTP request smuggling attacks. Request smuggling exploits discrepancies in how front-end proxies and back-end servers parse HTTP requests, allowing attackers to bypass proxy-based access controls, inject unauthorized requests, or manipulate HTTP traffic. The vulnerability specifically impacts Node.js 20.x applications that rely on the vulnerable llhttp parser version. The issue was resolved by upgrading llhttp to version 9, which enforces strict adherence to HTTP header termination rules. The CVSS v3.0 score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and partial confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild. The CWE classification is CWE-444 (Inconsistent Interpretation of HTTP Requests). This vulnerability is critical for applications exposing HTTP services through Node.js 20.x, especially those deployed behind proxies or load balancers that rely on consistent HTTP parsing for security controls.

For European organizations, this vulnerability poses a risk primarily to web applications and services built on Node.js 20.x that handle HTTP/1 traffic. Exploitation could allow attackers to bypass proxy-based access controls, potentially leading to unauthorized access to internal resources, data leakage, or manipulation of HTTP requests. This can undermine confidentiality and integrity of communications within enterprise networks. Given the widespread use of Node.js in web development across Europe, especially in sectors like finance, e-commerce, and public services, the impact could be significant if vulnerable versions are deployed in production environments. Additionally, organizations relying on reverse proxies or API gateways that do not adequately normalize HTTP requests may be more susceptible. While no availability impact is expected, the ability to smuggle requests can facilitate further attacks such as session hijacking, privilege escalation, or injection attacks, amplifying the threat. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future exploitation.

European organizations should immediately audit their Node.js environments to identify any instances running version 20.x with the vulnerable llhttp parser version. The primary mitigation is to upgrade Node.js to a version that includes llhttp version 9 or later, ensuring strict HTTP header parsing compliance. For environments where immediate upgrade is not feasible, deploying Web Application Firewalls (WAFs) or reverse proxies capable of normalizing and validating HTTP headers can help detect and block malformed requests attempting to exploit this vulnerability. Network monitoring should be enhanced to detect anomalous HTTP traffic patterns indicative of request smuggling attempts. Security teams should also review proxy and load balancer configurations to ensure consistent HTTP parsing behavior across the infrastructure. Finally, developers should be educated about the risks of request smuggling and encouraged to adopt secure coding practices and dependency management to promptly apply security patches.