First published: Thu Feb 16 2023(Updated: )
Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
redhat/nodejs | <1:16.19.1-1.el9_2 | 1:16.19.1-1.el9_2 |
redhat/nodejs | <1:16.20.2-1.el9_0 | 1:16.20.2-1.el9_0 |
Nodejs Node.js | >=16.0.0<16.19.1 | |
Nodejs Node.js | >=18.0.0<18.14.1 | |
Nodejs Node.js | >=19.0.0<19.6.1 | |
Nodejs Undici | >=2.0.0<5.19.1 | |
IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-23936 is a vulnerability in the fetch API in Node.js that allows for CRLF injection in the host header.
CVE-2023-23936 has a severity rating of 6.5 out of 10.
CVE-2023-23936 affects Node.js versions prior to 19.6.1, 18.14.1, and 16.19.1.
To fix CVE-2023-23936, update Node.js to version 19.6.1, 18.14.1, or 16.19.1.
As a workaround for CVE-2023-23936, sanitize the `headers.host` string before passing to the affected component.