关联漏洞
标题:Node.js 安全漏洞 (CVE-2025-23167)Description:Node.js是Node.js开源的一个开源、跨平台的 JavaScript 运行时环境。 Node.js 20.x版本存在安全漏洞,该漏洞源于HTTP解析器不当终止HTTP/1标头,可能导致请求夹带攻击。
Description
Working exploit for CVE-2025-23167 – HTTP request smuggling in vulnerable Node.js 20.x versions before 20.19.2
介绍
# CVE-2025-23167 – Node.js HTTP Request Smuggling Exploit
Working exploit for CVE-2025-23167, a request smuggling vulnerability affecting Node.js 20.x versions prior to v20.19.2. This bug allows improper HTTP header termination, enabling attackers to bypass proxy-based access controls.
## Files
- exploit.py – Python3-based Exploit for the vulnerability.
- lab.js – Simple Node.js server to simulate a vulnerable environment.
## Usage
### Exploit
To run the exploit script:
- Run, `python3 exploit.py <target-domain-or-ip> <port>`
### Sample Input & Output
### Lab Setup
To set up the test environment:
- Make sure you're using Node.js v20.19.1 or below.
- Install express (`npm install express`).
- Then run, `node lab.js` to run the server.
- The server will be available at http://localhost:8989 (or your chosen port).
文件快照
[4.0K] /data/pocs/7c571bdbde9ddaf6f6ad12e82b65482d43d0ec6a
├── [1.4K] exploit.py
├── [ 903] lab.js
├── [ 874] README.md
└── [744K] sample.png
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。