Vulnerabilities/

CRLF Injection in Nodejs ‘undici’ via host

Severity:: Medium

Description

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.0.0, < 5.19.1
Patched version(s): 5.19.1

References

Related Issues

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
AngularJS improperly sanitizes SVG elements - CVE-2025-0716

Tags:: npm; undici

Anything's wrong? Let us know Last updated on February 24, 2023