sse-channel Event Spoofing Vulnerability

A vulnerability in sse-channel versions prior to 4.0.1 allows for event spoofing in Server-Sent Events (SSE) implementations. The issue arises because the 'parseMessage()' function concatenates user-controlled values in the 'event', 'id', and 'retry' fields directly into the SSE format without proper sanitization of newline characters. This oversight enables attackers to inject arbitrary messages or events into the stream, potentially disrupting client-side applications that rely on these SSE events.

Impact

Exploitation of this vulnerability allows attackers to inject arbitrary SSE events into the stream, which can trigger unintended actions in frontend JavaScript EventSource listeners. This injection creates a false representation of events, as consumers of the SSE stream cannot differentiate between legitimate and injected events.

Reproduction

To reproduce this vulnerability, use sse-channel version 4.0.0. Create a new SseChannel instance and send a message through the channel. Include an injected event in the 'event' field that contains newline characters. The injected event will be processed as a legitimate SSE event by the client.

Remediation

Users can upgrade to sse-channel version 4.0.1, where this vulnerability is patched. If upgrading is not possible, sanitize user input to remove newline characters before passing it to the 'event', 'retry', or 'id' fields.