Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Feedly found the first article mentioning CVE-2023-23936. See article
EPSS Score was set to: 0.06% (Percentile: 21.3%)
Detection for the vulnerability has been added to Nessus (189669)