Undici is is vulnerable to CRLF injection. The vulnerability is due to improper request header content-type
sanitization in lib/core/request.js
. An attacker can exploit this vulnerability to preform two requests in a single API call.
github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80
github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80#diff-7d30f7ef62c49f60ef5b01576ca8898402aa790a09c623b13f9e0ea090fba7e6R300-R301
github.com/nodejs/undici/releases/tag/v5.8.2
github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3