{"id":"CVE-2023-23936","summary":"CRLF Injection in Nodejs ‘undici’ via host","details":"Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.","aliases":["BIT-node-2023-23936","BIT-node-min-2023-23936","GHSA-5r9g-qh6m-jxff"],"modified":"2026-04-10T04:55:44.610693Z","published":"2023-02-16T17:30:23.968Z","related":["ALSA-2023:1582","ALSA-2023:1583","ALSA-2023:2654","ALSA-2023:2655","SUSE-SU-2023:0608-1","SUSE-SU-2023:0609-1","SUSE-SU-2023:0673-1","SUSE-SU-2023:0715-1","SUSE-SU-2023:0738-1"],"database_specific":{"cwe_ids":["CWE-93"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23936.json"},"references":[{"type":"WEB","url":"https://github.com/nodejs/undici/releases/tag/v5.19.1"},{"type":"WEB","url":"https://hackerone.com/reports/1820955"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23936.json"},{"type":"ADVISORY","url":"https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23936"},{"type":"FIX","url":"https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"7162e686b18d22b4385fa5c04274fb04dbd810c7"},{"fixed":"96a4559f259f109a2abc480caeba12644b8a8fd1"},{"introduced":"49a77a5a996a49e8cb728eed42e55a7c1a9eef6e"},{"fixed":"7bc2cf7fa9a2016fadb27e042968a69297bd975e"},{"introduced":"cc993fb2760d01457955f5b9ff787d559ed1c34e"},{"fixed":"a9d1e5059f9cc63cafc8e786a7b6332aa7ab3b2b"}],"database_specific":{"versions":[{"introduced":"16.0.0"},{"fixed":"16.19.1"},{"introduced":"18.0.0"},{"fixed":"18.14.1"},{"introduced":"19.0.0"},{"fixed":"19.6.1"}]}}],"versions":["v16.0.0","v16.1.0","v16.10.0","v16.11.0","v16.11.1","v16.12.0","v16.13.0","v16.13.1","v16.13.2","v16.14.0","v16.14.1","v16.14.2","v16.15.0","v16.15.1","v16.16.0","v16.17.0","v16.17.1","v16.18.0","v16.18.1","v16.19.0","v16.2.0","v16.3.0","v16.4.0","v16.4.1","v16.4.2","v16.5.0","v16.6.0","v16.6.1","v16.6.2","v16.7.0","v16.8.0","v16.9.0","v16.9.1","v18.0.0","v18.1.0","v18.10.0","v18.11.0","v18.12.0","v18.12.1","v18.13.0","v18.14.0","v18.2.0","v18.3.0","v18.4.0","v18.5.0","v18.6.0","v18.7.0","v18.8.0","v18.9.0","v18.9.1","v19.0.0","v19.0.1","v19.1.0","v19.2.0","v19.3.0","v19.4.0","v19.5.0","v19.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23936.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/undici","events":[{"introduced":"6e91fbf0a1475d2385abcf20b58e1d21f527c0a3"},{"fixed":"984d53bad97c98529424a7f3bef6be1d0e76d039"}]}],"versions":["v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.1.0","v3.0.0","v3.1.0","v3.2.0","v3.3.0","v3.3.1","v4.0.0","v4.0.0-alpha.0","v4.0.0-alpha.1","v4.0.0-alpha.2","v4.0.0-alpha.4","v4.0.0-alpha.5","v4.0.0-rc.1","v4.0.0-rc.2","v4.0.0-rc.3","v4.0.0-rc.4","v4.0.0-rc.5","v4.0.0-rc.7","v4.0.0-rc.8","v4.1.0","v4.1.1","v4.10.0","v4.10.1","v4.10.2","v4.10.3","v4.10.4","v4.11.0","v4.11.1","v4.11.2","v4.11.3","v4.12.0","v4.12.2","v4.13.0","v4.14.0","v4.14.1","v4.15.0","v4.15.1","v4.16.0","v4.2.1","v4.2.2","v4.3.0","v4.3.1","v4.4.1","v4.4.2","v4.4.3","v4.4.4","v4.4.5","v4.4.6","v4.4.7","v4.5.0","v4.5.1","v4.6.0","v4.7.0","v4.7.1","v4.7.2","v4.7.3","v4.8.0","v4.8.1","v4.8.2","v4.9.0","v4.9.1","v4.9.2","v4.9.3","v4.9.4","v4.9.5","v5.0.0","v5.1.0","v5.1.1","v5.10.0","v5.11.0","v5.12.0","v5.13.0","v5.14.0","v5.15.0","v5.15.1","v5.15.2","v5.16.0","v5.17.0","v5.17.1","v5.18.0","v5.19.0","v5.2.0","v5.3.0","v5.4.0","v5.5.0","v5.5.1","v5.6.0","v5.6.1","v5.7.0","v5.8.0","v5.8.1","v5.8.2","v5.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23936.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}