GHSA-f772-66g8-q5h3

Suggest an improvement
Source
https://github.com/advisories/GHSA-f772-66g8-q5h3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f772-66g8-q5h3/GHSA-f772-66g8-q5h3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f772-66g8-q5h3
Aliases
Published
2022-08-18T19:02:56Z
Modified
2023-11-01T04:59:24.684986Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
Details

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

1) http://localhost:3000/ 2) http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

References

Affected packages

npm / undici

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.2

Database specific

{
    "last_known_affected_version_range": "<= 5.8.1"
}