ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (rn) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += connection: upgradernupgrade: ${upgrade}rn
}
Weakness
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Undici | Nodejs | * | 6.24.0 (excluding) |
| Undici | Nodejs | 7.0.0 (including) | 7.24.0 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | nodejs24-1:24.14.1-2.el10_1 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:24-8100020260408131901.6d880403 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:24-9070020260402152654.rhel9 | * |