Fluid Attacks Database

Description

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact

=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput...

The above snippet will perform two requests in a single request API call:

http://localhost:3000/

http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

Open an issue in undici repository

To make a report, follow the SECURITY document

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	undici	>=0 <5.8.2	5.8.2
debian 14	node-undici	>=0 <5.8.2+dfsg1+~cs18.9.18.1-1	5.8.2+dfsg1+~cs18.9.18.1-1
debian 12	node-undici	>=0 <5.8.2+dfsg1+~cs18.9.18.1-1	5.8.2+dfsg1+~cs18.9.18.1-1
debian 13	node-undici	>=0 <5.8.2+dfsg1+~cs18.9.18.1-1	5.8.2+dfsg1+~cs18.9.18.1-1

Aliases

1. CVE-2022-359482. NVD-2022-359483. OSV-2022-359484. OSV-DEBIAN-2022-359485. GHSA-f772-66g8-q5h36. GCVE-2022-359487. SECURITY-TRACKER-CVE-2022-35948

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h32. https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f803. https://github.com/nodejs/undici/releases/tag/v5.8.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.