CVE-2022-35948 in undici
Summary
by MITRE • 08/15/2022
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/11/2022
The vulnerability CVE-2022-35948 represents a critical CRLF injection flaw in the undici HTTP client library for Node.js, specifically affecting versions prior to 5.8.1. This vulnerability stems from inadequate input sanitization when processing HTTP headers, particularly the content-type header, which allows attackers to inject malicious carriage return and line feed characters into HTTP requests. The flaw enables attackers to manipulate HTTP request parsing by inserting CRLF sequences that can cause the client to send multiple requests in a single API call, fundamentally altering the intended request behavior and potentially enabling various attack vectors including HTTP request smuggling and cache poisoning.
The technical implementation of this vulnerability occurs when unsanitized user input is passed directly into the content-type header parameter of undici's request API. The CRLF injection attack exploits the fact that HTTP headers are terminated by carriage return and line feed characters, and when these characters are embedded within header values, they can be interpreted as separate header terminators. In the provided example, the malicious input containing a newline sequence followed by a GET request causes the HTTP client to interpret this as two distinct requests, with the first request being the intended target and the second being an attacker-controlled endpoint. This behavior violates the expected HTTP request semantics and creates a fundamental parsing inconsistency in the client's request handling mechanism.
From an operational impact perspective, this vulnerability presents significant security risks to applications using undici as their HTTP client, particularly those that process user input in header values without proper sanitization. The vulnerability can be exploited to bypass security controls, perform unauthorized requests against internal services, or manipulate request routing in ways that could lead to data leakage or privilege escalation. Attackers can leverage this flaw to conduct HTTP request smuggling attacks where they inject additional requests that may be processed by intermediate proxies or servers, potentially enabling them to access restricted resources or manipulate server behavior. The vulnerability also poses risks to applications that rely on proper header validation for authentication or authorization checks, as the injected requests could bypass these security mechanisms.
The mitigation strategy for this vulnerability involves upgrading to undici version 5.8.1 or later, which includes proper input sanitization and CRLF character filtering in header processing. Organizations should implement immediate patch management procedures to update all affected systems and dependencies. Additionally, developers should sanitize all user input before using it in HTTP headers, particularly content-type headers, implementing proper validation and encoding of header values to prevent CRLF injection. This remediation aligns with security best practices outlined in CWE-117, which addresses improper output neutralization for logs, and follows the ATT&CK technique T1071.004 for application layer protocol, specifically targeting HTTP protocol manipulation. Organizations should also implement monitoring and logging of HTTP request patterns to detect anomalous behavior that might indicate exploitation attempts, as the injected requests would manifest as unusual request sequences or unexpected server interactions that deviate from normal application behavior.