CVE-2023-23936: CRLF Injection
First published: Thu Feb 16 2023(Updated: )
Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
| redhat/nodejs | <1:16.19.1-1.el9_2 | 1:16.19.1-1.el9_2 |
| redhat/nodejs | <1:16.20.2-1.el9_0 | 1:16.20.2-1.el9_0 |
| Nodejs Node.js | >=16.0.0<16.19.1 | |
| Nodejs Node.js | >=18.0.0<18.14.1 | |
| Nodejs Node.js | >=19.0.0<19.6.1 | |
| Nodejs Undici | >=2.0.0<5.19.1 | |
| IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247696
- https://www.ibm.com/support/pages/node/7031207 (Advisory)
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- https://hackerone.com/reports/1820955
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172191
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172195
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172192
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172193
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172194
- https://access.redhat.com/errata/RHSA-2023:1582
- https://access.redhat.com/errata/RHSA-2023:1583
- https://access.redhat.com/errata/RHSA-2023:2654
- https://access.redhat.com/errata/RHSA-2023:2655
- https://access.redhat.com/security/cve/cve-2023-23936
- https://access.redhat.com/errata/RHSA-2023:5533
- https://bugzilla.redhat.com/show_bug.cgi?id=2172190
- https://www.cve.org/CVERecord?id=CVE-2023-23936 https://nvd.nist.gov/vuln/detail/CVE-2023-23936
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-23936?
CVE-2023-23936 is a vulnerability in the fetch API in Node.js that allows for CRLF injection in the host header.
What is the severity of CVE-2023-23936?
CVE-2023-23936 has a severity rating of 6.5 out of 10.
How does CVE-2023-23936 affect Node.js?
CVE-2023-23936 affects Node.js versions prior to 19.6.1, 18.14.1, and 16.19.1.
How can I fix CVE-2023-23936?
To fix CVE-2023-23936, update Node.js to version 19.6.1, 18.14.1, or 16.19.1.
Are there any workarounds for CVE-2023-23936?
As a workaround for CVE-2023-23936, sanitize the `headers.host` string before passing to the affected component.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-23936
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/ibm
- canonical/ibm cognos dashboards on cloud pak for data
- version/ibm cognos dashboards on cloud pak for data/4.7.0
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/16.0.0
- version/nodejs node.js/18.0.0
- version/nodejs node.js/19.0.0
- canonical/nodejs undici
- version/nodejs undici/2.0.0
- package-manager/redhat