MEDIUM 4.6
GHSA-5r9g-qh6m-jxff
CRLF Injection in Nodejs ‘undici’ via host
Details
### Impact
undici library does not protect `host` HTTP header from CRLF injection vulnerabilities.
### Patches
This issue was patched in Undici v5.19.1.
### Workarounds
Sanitize the `headers.host` string before passing to undici.
### References
Reported at https://hackerone.com/reports/1820955.
### Credits
Thank you to Zhipeng Zhang ([@timon8](https://hackerone.com/timon8)) for reporting this vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-23936 [ADVISORY]
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 [WEB]
- https://hackerone.com/reports/1820955 [WEB]
- https://github.com/nodejs/undici [PACKAGE]
- https://github.com/nodejs/undici/releases/tag/v5.19.1 [WEB]