CVE-2022-31150

CWE-937 documents6 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 33.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Undici
Timeline
PublishedJul 19
Latest updateJul 21

Description

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5nodejs/undici< v5.7.1, >= v5.8.0
NVDnodejs/undici< 5.8.0
Debiannode-undici< 5.8.0+dfsg1+~cs18.9.16-1+2
npmundici< 5.8.0

🔴Vulnerability Details

4
GHSA
undici before v5.8.0 vulnerable to CRLF injection in request headers2022-07-21
OSV
undici before v5.8.0 vulnerable to CRLF injection in request headers2022-07-21
OSV
CVE-2022-31150: undici is an HTTP/12022-07-19
CVEList
CRLF injection in request headers2022-07-19

📋Vendor Advisories

2
Red Hat
nodejs16: CRLF injection in node-undici2022-07-19
Debian
CVE-2022-31150: node-undici - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible t...2022
CVE-2022-31150 (MEDIUM CVSS 6.5) | undici is an HTTP/1.1 client | cvebase.io