CVE-2022-35948

2022-08-1511:21:38

CWE-93

CWE-74

[email protected]

web.nvd.nist.gov

undici

http/1.1

client

crlf injection

headers

unsanitized input

content-type

vulnerability

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.1%

JSON

undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Affected configurations

Vulners

NVD

Node

nodejsundiciMatch5.8.0

VendorProductVersionCPE
nodejsundici5.8.0cpe:2.3:a:nodejs:undici:5.8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodejs	undici	5.8.0	cpe:2.3:a:nodejs:undici:5.8.0:::::::*

CNA Affected

[
  {
    "vendor": "nodejs",
    "product": "undici",
    "versions": [
      {
        "version": "=< 5.8.0",
        "status": "affected"
      }
    ]
  }
]