logo

Database

Lack of data validation In sse-channel

Description

sse-channel: SSE Injection via unsanitized event fields

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

    Event Spoofing: Attacker can inject arbitrary SSE events into the stream

    Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners

    Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-442172. NVD-2026-442173. OSV-2026-442174. GHSA-84hm-wfh8-c5pg5. GCVE-2026-44217

References

1. https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg2. https://github.com/rexxars/sse-channel/issues/42

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.