CVE-2022-31150 is a vulnerability in nodejs Undici
Published on July 19, 2022
CRLF injection in request headers
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
Vulnerability Analysis
CVE-2022-31150 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a CRLF Injection Vulnerability?
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2022-31150 has been classified to as a CRLF Injection vulnerability or weakness.
Products Associated with CVE-2022-31150
Want to know whenever a new CVE is published for nodejs Undici? stack.watch will email you.
Affected Versions
nodejs undici Version < v5.7.1, >= v5.8.0 is affected by CVE-2022-31150Vulnerable Packages
The following package name and versions may be associated with CVE-2022-31150
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | undici | < 5.8.0 | 5.8.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.