5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35948

GHSA ID

GHSA-f772-66g8-q5h3

EPSS Score

0.48922%

CWE

CWE-74

Published

8/18/2022

Updated

2/3/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-35948

CVE-2022-35948: Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

http://localhost:3000/
http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

Open an issue in undici repository
To make a report, follow the SECURITY document

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-35948

CVE-2022-35948:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35948

GHSA ID

GHSA-f772-66g8-q5h3

EPSS Score

0.48922%

CWE

CWE-74

Published

8/18/2022

Updated

2/3/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
undici	npm	<= 5.8.1	5.8.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in the header processing logic of undici's request mechanism. The commit diff shows a critical modification in processHeader() where a headerCharRegex check was added specifically for Content-Type header values. Prior to the patch, the function only checked the header key was 'content-type' without validating the header value. This allowed CRLF sequences in the value to split the request into multiple malicious requests. The added test case in request-crlf.js directly validates this scenario, confirming the vulnerable code path was in the header processing function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-35948: Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact

Patches

Workarounds

For more information

CVE-2022-35948:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2022-35948: Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact

Patches

Workarounds

For more information

5.3

5.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI