Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dtvs-pgam-qkbp
Vulnerability ID VCID-dtvs-pgam-qkbp
Aliases CVE-2023-23936
GHSA-5r9g-qh6m-jxff
Summary CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23936.json
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00395 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00536 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00602 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00727 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
epss 0.00727 https://api.first.org/data/v1/epss?cve=CVE-2023-23936
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-5r9g-qh6m-jxff
cvssv3.1 4.6 https://github.com/nodejs/undici
generic_textual MODERATE https://github.com/nodejs/undici
cvssv3.1 4.6 https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
cvssv3.1 6.5 https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
generic_textual MODERATE https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
ssvc Track https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
cvssv3.1 4.6 https://github.com/nodejs/undici/releases/tag/v5.19.1
cvssv3.1 6.5 https://github.com/nodejs/undici/releases/tag/v5.19.1
generic_textual MODERATE https://github.com/nodejs/undici/releases/tag/v5.19.1
ssvc Track https://github.com/nodejs/undici/releases/tag/v5.19.1
cvssv3.1 4.6 https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
cvssv3.1 6.5 https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
cvssv3.1_qr MODERATE https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
generic_textual MODERATE https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
ssvc Track https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
cvssv3.1 4.6 https://hackerone.com/reports/1820955
cvssv3.1 6.5 https://hackerone.com/reports/1820955
generic_textual MODERATE https://hackerone.com/reports/1820955
ssvc Track https://hackerone.com/reports/1820955
cvssv3.1 4.6 https://nvd.nist.gov/vuln/detail/CVE-2023-23936
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-23936
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23936.json
https://api.first.org/data/v1/epss?cve=CVE-2023-23936
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/nodejs/undici
https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
https://github.com/nodejs/undici/releases/tag/v5.19.1
https://hackerone.com/reports/1820955
1031418 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031418
2172190 https://bugzilla.redhat.com/show_bug.cgi?id=2172190
CVE-2023-23936 https://nvd.nist.gov/vuln/detail/CVE-2023-23936
GHSA-5r9g-qh6m-jxff https://github.com/advisories/GHSA-5r9g-qh6m-jxff
GHSA-5r9g-qh6m-jxff https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23936.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:48Z/ Found at https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/releases/tag/v5.19.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/releases/tag/v5.19.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:48Z/ Found at https://github.com/nodejs/undici/releases/tag/v5.19.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:48Z/ Found at https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://hackerone.com/reports/1820955
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://hackerone.com/reports/1820955
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:48Z/ Found at https://hackerone.com/reports/1820955
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23936
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56506
EPSS Score 0.00337
Published At April 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:54.553150+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/undici/CVE-2023-23936.yml 38.0.0