GitHub_MCVELIST:CVE-2022-31150CVE-2022-31150 CRLF injection in request headers
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.4%
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.
CNA Affected
[
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "< v5.7.1, >= v5.8.0"
}
]
}
]Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.4%