{"id":"BIT-node-min-2023-23936","summary":"CRLF Injection in Nodejs ‘undici’ via host","details":"Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.","aliases":["BIT-node-2023-23936","CVE-2023-23936","GHSA-5r9g-qh6m-jxff"],"modified":"2025-05-20T10:02:07.006Z","published":"2024-12-16T14:00:12.823Z","database_specific":{"cpes":["cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"],"severity":"Medium"},"references":[{"type":"WEB","url":"https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"},{"type":"WEB","url":"https://github.com/nodejs/undici/releases/tag/v5.19.1"},{"type":"WEB","url":"https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"},{"type":"WEB","url":"https://hackerone.com/reports/1820955"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23936"}],"affected":[{"package":{"name":"node-min","ecosystem":"Bitnami","purl":"pkg:bitnami/node-min"},"ranges":[{"type":"SEMVER","events":[{"introduced":"16.0.0"},{"fixed":"16.19.1"},{"introduced":"18.0.0"},{"fixed":"18.14.1"},{"introduced":"19.0.0"},{"fixed":"19.6.1"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2023-23936.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}]}],"schema_version":"1.7.3"}