Headline
GHSA-3cvr-822r-rqcc: undici before v5.8.0 vulnerable to CRLF injection in request headers
Impact
It is possible to inject CRLF sequences into request headers in Undici.
const undici = require('undici')
const response = undici.request("http://127.0.0.1:1000", {
headers: {'a': "\r\nb"}
})
The same applies to path and method
Patches
Update to v5.8.0
Workarounds
Sanitize all HTTP headers from untrusted sources to eliminate \r\n.
References
https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
For more information
If you have any questions or comments about this advisory:
- Open an issue in undici repository
- To make a report, follow the SECURITY document
Package
npm undici (npm)
Affected versions
< 5.8.0
Patched versions
5.8.0
Description
Impact
It is possible to inject CRLF sequences into request headers in Undici.
const undici = require(‘undici’)
const response = undici.request("http://127.0.0.1:1000", { headers: {’a’: "\r\nb"} })
The same applies to path and method
Patches
Update to v5.8.0
Workarounds
Sanitize all HTTP headers from untrusted sources to eliminate \r\n.
References
https://hackerone.com/reports/409943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
For more information
If you have any questions or comments about this advisory:
- Open an issue in undici repository
- To make a report, follow the SECURITY document
References
- GHSA-3cvr-822r-rqcc
- https://nvd.nist.gov/vuln/detail/CVE-2022-31150
- nodejs/undici@a29a151
- https://hackerone.com/reports/409943
- https://github.com/nodejs/undici/releases/tag/v5.8.0
mcollina published the maintainer security advisory
Jul 18, 2022
Severity
Moderate
5.3
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses
CWE-93
CVE ID
CVE-2022-31150
GHSA ID
GHSA-3cvr-822r-rqcc
Source code
nodejs/undici
Credits
- Haxatron
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Red Hat Security Advisory 2022-6696-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-31150: nodejs16: CRLF injection in node-undici * CVE-2022-31151: nodejs/undici: Cookie headers uncleared on cross-origin redirect * CV...
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.