CRLF injection in request headers
CVE-2022-31150

5.3MEDIUM

Key Information:

Vendor

Nodejs

Status
Undici
Vendor
CVE Published:
19 July 2022

What is CVE-2022-31150?

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Affected Version(s)

undici < v5.7.1, >= v5.8.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...
x_refsource_CONFIRM
https://hackerone.com/reports/409943
x_refsource_MISC
https://github.com/nodejs/undici/releases/tag/v5.8.0
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.