=< undici@5.8.0
users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type
header.
Example:
import { request } from 'undici'
const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1'
await request('http://localhost:3000, {
method: 'GET',
headers: {
'content-type': unsanitizedContentTypeInput
},
})
The above snippet will perform two requests in a single request
API call:
1) http://localhost:3000/
2) http://localhost:3000/foo2
This issue was patched in Undici v5.8.1
Sanitize input when sending content-type headers using user input.
If you have any questions or comments about this advisory: