Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-23936

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Published

2023-02-16T18:15:10.877

Last Modified

2024-11-21T07:47:08.223

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-93
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	node.js	< 16.19.1	Yes
Application	nodejs	node.js	< 18.14.1	Yes
Application	nodejs	node.js	< 19.6.1	Yes
Application	nodejs	undici	< 5.19.1	Yes

References

https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 Patch ([email protected])
https://github.com/nodejs/undici/releases/tag/v5.19.1 Release Notes ([email protected])
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff Vendor Advisory ([email protected])
https://hackerone.com/reports/1820955 Exploit, Third Party Advisory ([email protected])
https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nodejs/undici/releases/tag/v5.19.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1820955 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)