GHSA-f772-66g8-q5h3

Source

https://github.com/advisories/GHSA-f772-66g8-q5h3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f772-66g8-q5h3/GHSA-f772-66g8-q5h3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f772-66g8-q5h3

Aliases

CVE-2022-35948

Published

2022-08-18T19:02:56Z

Modified

2023-11-08T04:09:53.836338Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Details

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

1) http://localhost:3000/ 2) http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

Open an issue in undici repository
To make a report, follow the SECURITY document

Database specific

{
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "github_reviewed_at": "2022-08-18T19:02:56Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74",
        "CWE-93"
    ]
}

References

Affected packages

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.8.2

Database specific

{
    "last_known_affected_version_range": "<= 5.8.1"
}