CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
50.9%
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and
prior to version 5.19.1, the undici library does not protect host
HTTP
header from CRLF injection vulnerabilities. This issue is patched in Undici
v5.19.1. As a workaround, sanitize the headers.host
string before passing
to undici.
github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 (v5.19.1)
github.com/nodejs/undici/releases/tag/v5.19.1
github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
hackerone.com/reports/1820955
launchpad.net/bugs/cve/CVE-2023-23936
nvd.nist.gov/vuln/detail/CVE-2023-23936
security-tracker.debian.org/tracker/CVE-2023-23936
www.cve.org/CVERecord?id=CVE-2023-23936