GHSA-5r9g-qh6m-jxff

Suggest an improvement
Source
https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-5r9g-qh6m-jxff/GHSA-5r9g-qh6m-jxff.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5r9g-qh6m-jxff
Aliases
Published
2023-02-16T20:46:30Z
Modified
2023-12-06T00:47:49.106501Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
CRLF Injection in Nodejs ‘undici’ via host
Details

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.

References

Affected packages

npm / undici

Package

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
5.19.1