eventsource-encoder Event Injection Vulnerability in Event Fields

A vulnerability exists in eventsource-encoder versions prior to 1.0.2, where the encoder fails to properly sanitize the event and id fields of an EventSourceMessage before serialization. This lack of validation allows an attacker to inject arbitrary Server-Sent Events line terminators, forging additional SSE fields or entire messages on the stream. The issue arises because the SSE specification treats certain line endings as terminators, enabling manipulation of the event stream.

Impact

Exploitation of this vulnerability allows for the injection of unauthorized events and data into the Server-Sent Events stream, potentially misleading clients or disrupting event handling.

Reproduction

To reproduce this vulnerability, use eventsource-encoder version 1.0.1 or earlier. Inject a line terminator into the event or id field of an EventSourceMessage. When the message is encoded, the injected line terminator will be interpreted as the end of that field, allowing the addition of forged SSE fields or messages.

Remediation

Upgrade to eventsource-encoder version 1.0.2 or later, where the event and id fields are properly validated to prevent the injection of line terminators.