Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cjlnLXFoNm0tanhmZs4AAxq9
CRLF Injection in Nodejs ‘undici’ via host
Impact
undici library does not protect host HTTP header from CRLF injection vulnerabilities.
Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the headers.host string before passing to undici.
References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
Permalink: https://github.com/advisories/GHSA-5r9g-qh6m-jxffJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cjlnLXFoNm0tanhmZs4AAxq9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-5r9g-qh6m-jxff, CVE-2023-23936
References:
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- https://nvd.nist.gov/vuln/detail/CVE-2023-23936
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
- https://hackerone.com/reports/1820955
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Blast Radius: 23.0
Affected Packages
npm:undici
Dependent packages: 1,956Dependent repositories: 98,048
Downloads: 35,987,480 last month
Affected Version Ranges: >= 2.0.0, < 5.19.1
Fixed in: 5.19.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.12.0, 4.12.1, 4.12.2, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.16.0, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.6.1, 5.7.0, 5.8.0, 5.8.1, 5.8.2, 5.9.0, 5.9.1, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.15.1, 5.15.2, 5.16.0, 5.17.0, 5.17.1, 5.18.0, 5.19.0
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 5.19.1, 5.20.0, 5.21.0, 5.21.1, 5.21.2, 5.22.0, 5.22.1, 5.23.0, 5.24.0, 5.25.0, 5.25.1, 5.25.2, 5.25.3, 5.25.4, 5.26.0, 5.26.1, 5.26.2, 5.26.3, 5.26.4, 5.26.5, 5.27.0, 5.27.1, 5.27.2, 5.28.0, 5.28.1, 5.28.2, 5.28.3, 5.28.4, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.8.0, 6.9.0, 6.10.0, 6.10.1, 6.10.2, 6.11.0, 6.11.1, 6.12.0, 6.13.0, 6.14.0, 6.14.1, 6.15.0