BIT-node-min-2023-23936
CRLF injection vulnerability in undici (npm)
What is BIT-node-min-2023-23936 About?
The undici library is vulnerable to CRLF injection within the `host` HTTP header, allowing attackers to inject arbitrary HTTP headers or even split HTTP responses. This can lead to cache poisoning, cross-site scripting, or other HTTP-level attacks. Exploitation is relatively easy if user-controlled input flows into the `host` header without sanitization.
Affected Software
Technical Details
The vulnerability arises because the undici library, prior to version 5.19.1, does not adequately protect the host HTTP header from CRLF injection. An attacker can include Carriage Return (CR) and Line Feed (LF) characters (e.g., %0D%0A) within user-controlled input that is subsequently used to construct the host header. These characters can terminate the current header and allow injection of new, arbitrary HTTP headers, or even inject an entirely new HTTP response, leading to HTTP response splitting. This mechanism circumvents the intended structure of HTTP requests/responses, tricking proxies or clients.
What is the Impact of BIT-node-min-2023-23936?
Successful exploitation may allow attackers to perform HTTP response splitting, cache poisoning, cross-site scripting (XSS), session hijacking, or other HTTP-level attacks.
What is the Exploitability of BIT-node-min-2023-23936?
Exploitation complexity is low to moderate. An attacker needs to provide input containing CRLF sequences to a part of the application that influences the host header when making requests via undici. No authentication or specific privileges are required; the attack can originate from any client that can interact with the vulnerable application's HTTP request processing. This is a remote vulnerability. The primary risk factor is the lack of strict sanitization or URL encoding of user-supplied data that is incorporated into HTTP headers, particularly the host header, before being processed by the undici library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-node-min-2023-23936?
Available Upgrade Options
- undici
- >2.0.0, <5.19.1 → Upgrade to 5.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
- https://github.com/nodejs/undici
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-23936
- https://osv.dev/vulnerability/GHSA-5r9g-qh6m-jxff
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- https://hackerone.com/reports/1820955
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
What are Similar Vulnerabilities to BIT-node-min-2023-23936?
Similar Vulnerabilities: CVE-2023-26154 , CVE-2022-24329 , CVE-2022-0731 , CVE-2021-37714 , CVE-2020-14150
