Impact
When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the upgrade option string before passing to undici:
function sanitizeUpgrade(value) {
if (/[\r\n]/.test(value)) {
throw new Error('Invalid upgrade value')
}
return value
}
client.request({
upgrade: sanitizeUpgrade(userInput)
})References
mcollina Remediation developer
UlisesGascon Remediation developer
Impact
When an application passes user-controlled input to the
upgradeoption ofclient.request(), an attacker can inject CRLF sequences (\r\n) to:The vulnerability exists because undici writes the
upgradevalue directly to the socket without validating for invalid header characters:Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the
upgradeoption string before passing to undici:References
hostheader