CVE-2022-35948 CRLF Injection in Nodejs ‘undici’ via Content-Type

2022-08-1300:00:00

CWE-93

CWE-74

GitHub_M

www.cve.org

cve-2022-35948

crlf injection

node.js

undici

content-type

http/1.1

vulnerability

headers

unsanitized input

patch

undici v5.8.1

sanitize input

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.1%

JSON

undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

CNA Affected

[
  {
    "vendor": "nodejs",
    "product": "undici",
    "versions": [
      {
        "version": "=< 5.8.0",
        "status": "affected"
      }
    ]
  }
]