GHSA-5r9g-qh6m-jxff

Source
https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-5r9g-qh6m-jxff/GHSA-5r9g-qh6m-jxff.json
Aliases
Published
2023-02-16T20:46:30Z
Modified
2023-12-06T01:02:51.700182Z
Details

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.

References

Affected packages

npm / undici

Package

Name
undici

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
5.19.1