Fluid Attacks Database

Description

CRLF Injection in Nodejs ‘undici’ via host

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.18	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.19	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
debian 14	node-undici	>=0 <5.19.1+dfsg1+~cs20.10.9.5-1	5.19.1+dfsg1+~cs20.10.9.5-1
debian 13	node-undici	>=0 <5.19.1+dfsg1+~cs20.10.9.5-1	5.19.1+dfsg1+~cs20.10.9.5-1
npm	undici	>=2.0.0 <5.19.1	5.19.1
alpine v3.15	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.2-r0 \|\| =16.14.0-r0 \|\| =16.14.2-r0 \|\| =16.16.0-r0 \|\| =16.17.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.19.1-r0	16.19.1-r0
alpine v3.16	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.17.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.19.1-r0	16.19.1-r0
alpine v3.17	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.20	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.21	nodejs	>=0 <18.14.1-r0	18.14.1-r0

1-10 of 16

Aliases

1. CVE-2023-239362. NVD-2023-239363. OSV-ALPINE-2023-239364. OSV-2023-239365. OSV-DEBIAN-2023-239366. GHSA-5r9g-qh6m-jxff7. GCVE-2023-239368. SECURITY-CVE-2023-239369. SECURITY-TRACKER-CVE-2023-23936

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff2. https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f20343. https://hackerone.com/reports/18209554. https://github.com/nodejs/undici/releases/tag/v5.19.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.