CVE-2022-31150

2022-07-1921:15:15

CWE-93

[email protected]

web.nvd.nist.gov

undici

http

node.js

vulnerability

cve-2022-31150

security

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.4%

JSON

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Affected configurations

Vulners

NVD

Node

nodejsundiciRange8.0–7.1

VendorProductVersionCPE
nodejsundici*cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodejs	undici	*	cpe:2.3:a:nodejs:undici::::::::

CNA Affected

[
  {
    "product": "undici",
    "vendor": "nodejs",
    "versions": [
      {
        "status": "affected",
        "version": "< v5.7.1, >= v5.8.0"
      }
    ]
  }
]