VDB
CVE-2022-31150
CVE-2022-31150
PUBLISHED
CVSS 5.3 MEDIUM
Reported by GitHub_M · Published July 19, 2022
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
Risk Scores
CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nodejs | undici | < v5.7.1, >= v5.8.0 |
| nodejs | undici | < v5.7.1, >= v5.8.0, < v5.7.1, >= v5.8.0 |
| npm | undici | 0 |
Exploit Intelligence
Timeline
- Jul 19, 2022 CVE Published
- Jul 20, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Oct 22, 2022 EPSS Score
- Oct 28, 2022 CVE Updated
- Jan 24, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
- Apr 27, 2023 EPSS Score
- Jun 13, 2023 EPSS Score
- Sep 15, 2023 EPSS Score
- Nov 1, 2023 EPSS Score
References
- x_refsource_CONFIRM
- x_refsource_MISC
- x_refsource_MISC
- x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2022-31150 advisory
- https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259 patch
- https://github.com/advisories/GHSA-3cvr-822r-rqcc advisory