CRLF Injection in Nodejs ‘undici’ via host

Moderate

mcollina published GHSA-5r9g-qh6m-jxff

Feb 16, 2023

Package

nodejs/undici (npm)

Affected versions

>=2.0.0 < 5.19.1

Patched versions

5.19.1

Description

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.

Severity

Moderate

4.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N