CVE-2022-35948

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80	Patch Third Party Advisory
https://github.com/nodejs/undici/releases/tag/v5.8.2	Release Notes Third Party Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-08-15 11:21

Updated : 2023-03-28 17:08

NVD link : CVE-2022-35948

Mitre link : CVE-2022-35948

CVE.ORG link : CVE-2022-35948

JSON object : View

Products Affected

nodejs

undici

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

NVD-CWE-Other

{"id": "CVE-2022-35948", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-08-15T11:21:38.353", "references": [{"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-93"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround."}, {"lang": "es", "value": "undici es un cliente HTTP/1.1, escrito desde cero para Node.js.\" versiones anteriores a undici@5.8.0 incluy\u00e9ndola\" los usuarios son vulnerables a una Inyecci\u00f3n CRLF en los encabezados cuando usan entradas no saneadas como encabezados de petici\u00f3n, m\u00e1s concretamente, dentro del encabezado \"content-type\". Ejemplo: \"\"\" import { request } from \"undici\" const unsanitizedContentTypeInput = \"application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1\" await request(\"http://localhost:3000, { method: \"GET\", headers: { \"content-type\": unsanitizedContentTypeInput }, }) \"\"\" El fragmento anterior llevar\u00e1 a cabo dos peticiones en una sola llamada a la API \"request\": 1) \"http://localhost:3000/\" 2) \"http://localhost:3000/foo2\" Este problema fue parcheado en Undici versi\u00f3n v5.8.1. Sanear la entrada cuando son enviados encabezados de tipo de contenido usando la entrada del usuario como mitigaci\u00f3n."}], "lastModified": "2023-03-28T17:08:29.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "24D7C364-5958-4D55-8817-8FB01BF845F7", "versionEndExcluding": "5.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}