CVE-2022-31150
Aliases:GHSA-3cvr-822r-rqcc
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 19 Jul 2022, 20:40
Last modified:22 Apr 2025, 17:48
Vulnerability Summary
Overall Risk (default)
medium
36/100 CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.51% LOW
1% probability -0.18%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
19 Jul 2022, 20:40
Published
Vulnerability first disclosed
22 Apr 2025, 17:48
Last Modified
Vulnerability information updated
Description
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Trends
Current EPSS score: 0.51%• Percentile: 67%
Techniques & Countermeasures
- CWE-93•Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Systems
- nodejs•undici
≥ v5.8.0, < v5.7.1 | < 5.8.0
- Npm•undici
< 5.8.0
References (8)
- https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc
- https://hackerone.com/reports/409943
- https://github.com/nodejs/undici/releases/tag/v5.8.0
- https://security.netapp.com/advisory/ntap-20220915-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2022-31150
- https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259
- https://github.com/nodejs/undici
- https://security.netapp.com/advisory/ntap-20220915-0002