CVE-2023-23936 MEDIUM

CVE-2023-23936: CRLF Injection in Nodejs ‘undici’ via host

Vendor Nodejs

Product undici

Weakness CWE-93 · CRLF injection

Published February 16, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Key dates

Disclosure timeline

February 16, 2023 CVE published

March 10, 2025 Record updated