Vulnerabilities/

CRLF Injection in Nodejs ‘undici’ via host

Severity:: Medium

Description

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.0.0, < 5.19.1
Patched version(s): 5.19.1

References

Related Issues

static-server Path Traversal vulnerability - CVE-2023-26152
chromedriver Downloads Resources over HTTP - CVE-2016-10579
undici Denial of Service attack via bad certificate data - CVE-2025-47279
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260

Tags:: npm; undici

Anything's wrong? Let us know Last updated on February 24, 2023

This issue is available in SmartScanner Professional