DEBIAN-CVE-2022-35948
- Source
- https://security-tracker.debian.org/tracker/DEBIAN-CVE-2022-35948
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-35948.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-35948
- Upstream
- Published
- 2022-08-15T11:21:38Z
- Modified
- 2025-09-19T06:15:27Z
- Summary
- [none]
- Details
-
undici is an HTTP/1.1 client, written from scratch for Node.js.
=< undici@5.8.0users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside thecontent-typeheader. Example:import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, })The above snippet will perform two requests in a singlerequestAPI call: 1)http://localhost:3000/2)http://localhost:3000/foo2This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. - References
Affected packages
Debian:12 / node-undici
Package
- Name
- node-undici
- Purl
- pkg:deb/debian/node-undici?arch=source
Debian:13 / node-undici
Package
- Name
- node-undici
- Purl
- pkg:deb/debian/node-undici?arch=source
Debian:14 / node-undici
Package
- Name
- node-undici
- Purl
- pkg:deb/debian/node-undici?arch=source