CVE-2022-31150

CVSS v3.1 6.5 (Medium)

EPSS 0.13 % (49^th)

Affected Products 1

Advisories 4

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Weaknesses

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-NVD-Other

CVE Status: PUBLISHED
CNA: GitHub, Inc.
Published Date: 2022-07-19 21:15:15
(2 years ago)
Updated Date: 2022-10-28 18:31:31
(23 months ago)

Affected Products

Nodejs

Undici

Configuration #1

		CPE23	From	Up To
	Nodejs Undici for Node.js prior 5.8.0 version	cpe:2.3:a:nodejs:undici::::::node.js		< 5.8.0