Описание
A flaw was found in undici, a Node.js HTTP/1.1 client. This vulnerability allows a remote attacker to inject malicious data into HTTP headers or prematurely end HTTP requests by sending specially crafted input to the upgrade option of client.request(). This is possible because undici does not properly validate input for invalid header characters, which could lead to unauthorized information disclosure or bypassing of security controls.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-console-plugin-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel9 | Fix deferred | ||
| Red Hat Developer Hub | rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor | Fix deferred | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux 10 | nodejs22 | Fix deferred | ||
| Red Hat Enterprise Linux 10 | nodejs24 | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs:22/nodejs | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
ImpactWhen an application passes user-controlled input to theupgradeop ...
Undici has CRLF Injection in undici via `upgrade` option
EPSS
6.5 Medium
CVSS3