Vulnerability Description
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 16.0.0, < 16.19.1 |
| Nodejs | Undici | >= 2.0.0, < 5.19.1 |
Related Weaknesses (CWE)
References
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034Patch
- https://github.com/nodejs/undici/releases/tag/v5.19.1Release Notes
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxffVendor Advisory
- https://hackerone.com/reports/1820955ExploitThird Party Advisory
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034Patch
- https://github.com/nodejs/undici/releases/tag/v5.19.1Release Notes
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxffVendor Advisory
- https://hackerone.com/reports/1820955ExploitThird Party Advisory
FAQ
What is CVE-2023-23936?
CVE-2023-23936 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issu...
How severe is CVE-2023-23936?
CVE-2023-23936 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-23936?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Nodejs Undici.