What is CVE-2022-35948?

CVE-2022-35948 is a vulnerability in the undici package that allows for CRLF Injection on headers when unsanitized input is used in the content-type header.

What is the severity of CVE-2022-35948?

The severity of CVE-2022-35948 is medium with a severity value of 5.3.

How does CVE-2022-35948 affect undici users?

Undici users with versions up to exclusive 5.8.2 are vulnerable to the CRLF Injection vulnerability on headers when unsanitized input is used in the content-type header.

How can I fix CVE-2022-35948?

To fix CVE-2022-35948, undici users should upgrade to version 5.8.2 or higher.

Where can I find more information about CVE-2022-35948?

You can find more information about CVE-2022-35948 on the Red Hat Security Advisory (RHSA-2022:7276) and the official CVE page.

Vulnerability/
CVE-2022-35948

medium

5.3

CWE

74 93

9/8/2022

13/8/2022

3/8/2024

CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type

First published: Tue Aug 09 2022(Updated: )

A flaw was found in the undici package. When requesting unsanitized input on content-type headers, it is possible to inject additional requests via Carriage Return/Line Feed (CRLF).

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nodejs Undici	<5.8.2

Remedy

https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80

Remedy

A possible mitigation is to sanitize user input when sending content-type headers.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-35948?
CVE-2022-35948 is a vulnerability in the undici package that allows for CRLF Injection on headers when unsanitized input is used in the content-type header.
What is the severity of CVE-2022-35948?
The severity of CVE-2022-35948 is medium with a severity value of 5.3.
How does CVE-2022-35948 affect undici users?
Undici users with versions up to exclusive 5.8.2 are vulnerable to the CRLF Injection vulnerability on headers when unsanitized input is used in the content-type header.
How can I fix CVE-2022-35948?
To fix CVE-2022-35948, undici users should upgrade to version 5.8.2 or higher.
Where can I find more information about CVE-2022-35948?
You can find more information about CVE-2022-35948 on the Red Hat Security Advisory (RHSA-2022:7276) and the official CVE page.

collector/redhat-cve
collector/nvd-index
agent/type
agent/first-publish-date
agent/softwarecombine
agent/author
agent/references
agent/severity
agent/remedy
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-35948
agent/software-canonical-lookup
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/tags
agent/event
vendor/nodejs
canonical/nodejs undici
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.