Description
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/409943
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nodejs/undici/releases/tag/v5.8.0
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220915-0002/
Scores
CVSS v3
5.3
EPSS
0.0112
EPSS Percentile
61.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-93
Status
published
Products (2)
nodejs/undici
< 5.8.0
npm/undici
0 - 5.8.0npm
Published
Jul 19, 2022
Tracked Since
Feb 18, 2026