Node.js undici CRLF Injection Vulnerability via Upgrade Option

A CRLF injection vulnerability has been identified in the Node.js HTTP client library undici, affecting versions prior to 6.24.0 and 7.0.0 through 7.24.0. The vulnerability arises when user-controlled input is passed to the upgrade option of client.request(). Undici writes the upgrade value directly to the socket without proper validation, allowing attackers to inject CRLF sequences. This injection can be used to add arbitrary HTTP headers, prematurely terminate the HTTP request, and smuggle raw data to non-HTTP services such as Redis, Memcached, and Elasticsearch.

Impact

Exploitation of this vulnerability allows for CRLF injection, which can be used to manipulate HTTP headers and request termination, potentially leading to data smuggling to non-HTTP services.

Remediation

Users can upgrade to undici versions 6.24.0 or 7.24.0 and later. It is also recommended to sanitize the upgrade option string before passing it to undici, ensuring that it does not contain invalid characters such as CRLF sequences.