CVE-2022-35948
CVE-2022-35948 is a medium-severity vulnerability in Nodejs Undici with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-74.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 1% (65th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-74
- Affected product: Nodejs Undici
- Published:
- Last modified:
Description
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Frequently asked questions
- What is CVE-2022-35948?
- undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
- How severe is CVE-2022-35948?
- CVE-2022-35948 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2022-35948 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (65th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-35948?
- CVE-2022-35948 affects Nodejs Undici. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-35948?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-35948 published?
- CVE-2022-35948 was published on 2022-08-15 and last updated on 2026-06-17.
References
- https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80
- https://github.com/nodejs/undici/releases/tag/v5.8.2
- https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3
Affected products (1)
- cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
More vulnerabilities in Nodejs Undici
- CVE-2026-6734 — High (CVSS 7.5): Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying…
- CVE-2026-9675 — High (CVSS 7.5): Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of…
- CVE-2026-12151 — High (CVSS 7.5): Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but…
- CVE-2026-2229 — High (CVSS 7.5): ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of…
- CVE-2026-1528 — High (CVSS 7.5): ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's…
- CVE-2026-1526 — High (CVSS 7.5): The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during…
All CVEs affecting Nodejs Undici →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →