undici is vulnerable to CRLF Injection. The vulnerability exists due to the lack of sanitization used in the request path url in the request
class of request.js
, allowing an attacker to inject and execute malicious request headers when that header contains the \r\n
characters.