Moderate severityNVD Advisory· Published Jul 19, 2022· Updated Apr 22, 2025
CRLF injection in request headers
CVE-2022-31150
Description
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.8.0 | 5.8.0 |
Affected products
8- ghsa-coords7 versionspkg:npm/undicipkg:rpm/opensuse/nodejs16&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4
< 5.8.0+ 6 more
- (no CPE)range: < 5.8.0
- (no CPE)range: < 16.17.0-150300.7.9.1
- (no CPE)range: < 16.17.0-150400.3.6.1
- (no CPE)range: < 16.17.0-2.1
- (no CPE)range: < 16.17.0-8.9.1
- (no CPE)range: < 16.17.0-150300.7.9.1
- (no CPE)range: < 16.17.0-150400.3.6.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-3cvr-822r-rqccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31150ghsaADVISORY
- github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259ghsaWEB
- github.com/nodejs/undici/releases/tag/v5.8.0ghsax_refsource_MISCWEB
- github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqccghsax_refsource_CONFIRMWEB
- hackerone.com/reports/409943ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220915-0002ghsaWEB
- security.netapp.com/advisory/ntap-20220915-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.