CRLF Injection in Nodejs ‘undici’ via host
CVE-2023-23936

6.5MEDIUM

Key Information:

Vendor: Nodejs
Status: Undici
Vendor: CVE Published:; 16 February 2023

🔔 Create Nodejs Vulnerability Alert

What is CVE-2023-23936?

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

Affected Version(s)

undici >=2.0.0, < 5.19.1

References

https://github.com/nodejs/undici/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nodejs/undici/commit/a2eff05401358f659...

x_refsource_MISC

https://hackerone.com/reports/1820955

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2023
Vulnerability Reserved
Jan 19, 2023

.