Lack of data validation In nodejs22
Description
Undici has CRLF Injection in undici via upgrade option
Impact
When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
Inject arbitrary HTTP headers
Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the upgrade option string before passing to undici:
function sanitizeUpgrade(value) { if (/[\r\n]/.test(value)) { throw new Error('Invalid upgrade value') } return value } client.request({...
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 rpm rhel10 | - | - | |
rpm rhel9 | - | - | |
rpm rhel8 | - | - | |
rpm rhel10 | 1:24.14.1-2.el10_1 | ||
 debian 13 | - | ||
debian 14 | 7.24.5+dfsg+~cs3.2.0-1 | ||
 npm | 6.24.0, 7.24.0 |
Aliases
References