Published: 16/02/2023 Updated: 24/02/2023

CVSS v3 Base Score: 5.4 | Impact Score: 2.5 | Exploitability Score: 2.8

VMScore: 0

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs undici
nodejs node.js

Debian Bug report logs - #1031418 node-undici: CVE-2023-23936 CVE-2023-24807 Package: src:node-undici; Maintainer for src:node-undici is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 16 Feb 2023 21:45:02 UTC Severity: imp ...

Synopsis Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9 ...

Synopsis Moderate: nodejs:18 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...

Synopsis Important: nodejs security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat P ...

Synopsis Moderate: nodejs:16 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...

DescriptionThe MITRE CVE dictionary describes this issue as: Undici is an HTTP/11 client for Nodejs Starting with version 200 and prior to version 5191, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities This issue is patched in Undici v5191 As a workaround, sanitize the `headershost` string befor ...

Hitachi Ops Center Analyzer contains the following vulnerabilities: CVE-2022-43548, CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807, CVE-2023-30581, CVE-2023-30585, CVE-2023-30588, CVE-2023-30589, CVE-2023-30590 Affected products and versions are listed below Please upgrade your version to the appropriate versio ...

CWE-74 https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff https://hackerone.com/reports/1820955 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031418 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2023-23936

CVE-2023-23936

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect