CVE-2023-23936

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-23936

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23936.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-23936

Aliases

Downstream

ALPINE-CVE-2023-23936

DEBIAN-CVE-2023-23936

RHSA-2023:1582

RHSA-2023:1583

RHSA-2023:2654

RHSA-2023:2655

RHSA-2023:5533

SUSE-SU-2023:0608-1

SUSE-SU-2023:0609-1

SUSE-SU-2023:0673-1

SUSE-SU-2023:0715-1

SUSE-SU-2023:0738-1

Related

Published

2023-02-16T17:30:23Z

Modified

2025-10-08T14:08:31.370276Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

CRLF Injection in Nodejs ‘undici’ via host

Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

References

Affected packages

Git / github.com/nodejs/undici

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/undici
Events: Introduced

6e91fbf0a1475d2385abcf20b58e1d21f527c0a3

Fixed

984d53bad97c98529424a7f3bef6be1d0e76d039

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.1.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.0-alpha.0

v4.0.0-alpha.1

v4.0.0-alpha.2

v4.0.0-alpha.4

v4.0.0-alpha.5

v4.0.0-rc.1

v4.0.0-rc.2

v4.0.0-rc.3

v4.0.0-rc.4

v4.0.0-rc.5

v4.0.0-rc.7

v4.0.0-rc.8

v4.1.0

v4.1.1

v4.10.0

v4.10.1

v4.10.2

v4.10.3

v4.10.4

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.12.0

v4.12.2

v4.13.0

v4.14.0

v4.14.1

v4.15.0

v4.15.1

v4.16.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.5.0

v4.5.1

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.8.0

v4.8.1

v4.8.2

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.10.0

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.15.1

v5.15.2

v5.16.0

v5.17.0

v5.17.1

v5.18.0

v5.19.0

v5.2.0

v5.3.0

v5.4.0

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.7.0

v5.8.0

v5.8.1

v5.8.2

v5.9.1

Git / github.com/nodejs/undici

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

7162e686b18d22b4385fa5c04274fb04dbd810c7

Fixed

96a4559f259f109a2abc480caeba12644b8a8fd1

Affected versions

v16.*

v16.0.0

v16.1.0

v16.10.0

v16.11.0

v16.11.1

v16.12.0

v16.13.0

v16.13.1

v16.13.2

v16.14.0

v16.14.1

v16.14.2

v16.15.0

v16.15.1

v16.16.0

v16.17.0

v16.17.1

v16.18.0

v16.18.1

v16.19.0

v16.2.0

v16.3.0

v16.4.0

v16.4.1

v16.4.2

v16.5.0

v16.6.0

v16.6.1

v16.6.2

v16.7.0

v16.8.0

v16.9.0

v16.9.1