First published: Thu Feb 16 2023(Updated: )
A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. This issue could allow HTTP response splitting and HTTP header injection.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
redhat/nodejs | <1:16.19.1-1.el9_2 | 1:16.19.1-1.el9_2 |
redhat/nodejs | <1:16.20.2-1.el9_0 | 1:16.20.2-1.el9_0 |
Nodejs Node.js | >=16.0.0<16.19.1 | |
Nodejs Node.js | >=18.0.0<18.14.1 | |
Nodejs Node.js | >=19.0.0<19.6.1 | |
Nodejs Undici | >=2.0.0<5.19.1 | |
IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-23936 is a vulnerability in the fetch API in Node.js that allows for CRLF injection in the host header.
CVE-2023-23936 has a severity rating of 6.5 out of 10.
CVE-2023-23936 affects Node.js versions prior to 19.6.1, 18.14.1, and 16.19.1.
To fix CVE-2023-23936, update Node.js to version 19.6.1, 18.14.1, or 16.19.1.
As a workaround for CVE-2023-23936, sanitize the `headers.host` string before passing to the affected component.