CVE-2023-23936

CVE-2023-23936

Name

CVE-2023-23936

Description

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/nodejs/undici/releases/tag/v5.19.1
MISC	https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
MISC	https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
MISC	https://hackerone.com/reports/1820955

Type

URI

MISC

https://github.com/nodejs/undici/releases/tag/v5.19.1

MISC

https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034

MISC

https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff

MISC

https://hackerone.com/reports/1820955

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:undici::::::node.js::*`	nodejs	>= 2.0.0	< 5.19.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 18.0.0	< 18.14.1
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 16.0.0	< 16.19.1
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 19.0.0	< 19.6.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

nodejs

>= 2.0.0

< 5.19.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 18.0.0

< 18.14.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 16.0.0

< 16.19.1

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 19.0.0

< 19.6.1

References

Match rules

Vulnerable and fixed packages