CVE-2022-35948

15.08.2022, 11:21

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Affected Products (NVD)

Vendor	Product	Version
nodejs	undici	𝑥 < 5.8.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-undici

bookworm	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 fixed
bookworm (security)	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 fixed
sid	5.28.4+dfsg1+~cs23.12.11-2 fixed
trixie	5.28.4+dfsg1+~cs23.12.11-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-undici

bionic	dne
focal	dne
jammy	dne
kinetic	not-affected
trusty	dne
xenial	dne

openSUSE / SLES Releases

openSUSE Product

Release

nodejs16

suse enterprise sap 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise sap 15 SP4	16.17.0-150400.3.6.1 fixed
suse enterprise server 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise server 15 SP4	16.17.0-150400.3.6.1 fixed

nodejs16-devel

suse enterprise sap 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise sap 15 SP4	16.17.0-150400.3.6.1 fixed
suse enterprise server 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise server 15 SP4	16.17.0-150400.3.6.1 fixed

nodejs16-docs

suse enterprise sap 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise sap 15 SP4	16.17.0-150400.3.6.1 fixed
suse enterprise server 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise server 15 SP4	16.17.0-150400.3.6.1 fixed

npm16

suse enterprise sap 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise sap 15 SP4	16.17.0-150400.3.6.1 fixed
suse enterprise server 15 SP3	16.17.0-150300.7.9.1 fixed
suse enterprise server 15 SP4	16.17.0-150400.3.6.1 fixed

Known Exploits!

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80

https://github.com/nodejs/undici/releases/tag/v5.8.2

https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3

https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80

https://github.com/nodejs/undici/releases/tag/v5.8.2

https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3