VDB

CVE-2022-31150

CVE-2022-31150 PUBLISHED CVSS 5.3 MEDIUM

Reported by GitHub_M · Published July 19, 2022

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Risk Scores

CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

VendorProductVersions
nodejsundici< v5.7.1, >= v5.8.0
nodejsundici< v5.7.1, >= v5.8.0, < v5.7.1, >= v5.8.0
npmundici0

Timeline

  • Jul 19, 2022 CVE Published
  • Jul 20, 2022 EPSS Score
  • Sep 5, 2022 EPSS Score
  • Oct 22, 2022 EPSS Score
  • Oct 28, 2022 CVE Updated
  • Jan 24, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 11, 2023 EPSS Score
  • Apr 27, 2023 EPSS Score
  • Jun 13, 2023 EPSS Score
  • Sep 15, 2023 EPSS Score
  • Nov 1, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›