Vulnerability-Lookup

CVE-2026-44214 (GCVE-0-2026-44214)

Vulnerability from cvelistv5 – Published: 2026-05-26 19:34 – Updated: 2026-05-27 13:19

Title

eventsource-encoder: SSE event injection via unsanitized event and id fields

Summary

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/rexxars/eventsource-encoder/se…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
rexxars	eventsource-encoder	Affected: < 1.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44214",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T13:19:24.561615Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:19:45.558Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "eventsource-encoder",
          "vendor": "rexxars",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\\n, \\r, or \\r\\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T19:34:32.273Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
        }
      ],
      "source": {
        "advisory": "GHSA-m9g3-3g99-mhpx",
        "discovery": "UNKNOWN"
      },
      "title": "eventsource-encoder: SSE event injection via unsanitized event and id fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44214",
    "datePublished": "2026-05-26T19:34:32.273Z",
    "dateReserved": "2026-05-05T15:13:47.572Z",
    "dateUpdated": "2026-05-27T13:19:45.558Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44214",
      "date": "2026-05-29",
      "epss": "0.00011",
      "percentile": "0.01543"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44214\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T20:16:19.803\",\"lastModified\":\"2026-05-28T14:30:02.060\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\\\\n, \\\\r, or \\\\r\\\\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"},{\"lang\":\"en\",\"value\":\"CWE-113\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rexxars:eventsource-encoder:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.0.2\",\"matchCriteriaId\":\"8177C5C4-DAA1-43A8-A156-EEE62C9080A1\"}]}]}],\"references\":[{\"url\":\"https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44214\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T13:19:24.561615Z\"}}}], \"references\": [{\"url\": \"https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T13:19:39.824Z\"}}], \"cna\": {\"title\": \"eventsource-encoder: SSE event injection via unsanitized event and id fields\", \"source\": {\"advisory\": \"GHSA-m9g3-3g99-mhpx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rexxars\", \"product\": \"eventsource-encoder\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx\", \"name\": \"https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\\\\n, \\\\r, or \\\\r\\\\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-93\", \"description\": \"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-113\", \"description\": \"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-26T19:34:32.273Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44214\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-27T13:19:45.558Z\", \"dateReserved\": \"2026-05-05T15:13:47.572Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T19:34:32.273Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44214

Vulnerability from fkie_nvd - Published: 2026-05-26 20:16 - Updated: 2026-05-28 14:30

Severity

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	rexxars	eventsource-encoder	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rexxars:eventsource-encoder:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "8177C5C4-DAA1-43A8-A156-EEE62C9080A1",
              "versionEndExcluding": "1.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\\n, \\r, or \\r\\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2."
    }
  ],
  "id": "CVE-2026-44214",
  "lastModified": "2026-05-28T14:30:02.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-26T20:16:19.803",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        },
        {
          "lang": "en",
          "value": "CWE-113"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-M9G3-3G99-MHPX

Vulnerability from github – Published: 2026-05-08 20:49 – Updated: 2026-05-08 20:49

Summary

eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Details

Summary

eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to GHSA-4hxc-9384-m385 (h3), but the vulnerable fields are event/id rather than data/comment. These are less likely to be user-controllable, but should still be sanitized.

Details

In src/encode.ts, encodeMessage interpolates event and id into the output without inspecting them for line terminators:

if (message.event) {
  output += `event: ${message.event}\n`
}
// ...
if (typeof message.id === 'string' || typeof message.id === 'number') {
  output += `id: ${message.id}\n`
}

The SSE specification treats \r, \n, and \r\n as line terminators. A \n (or \r) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.

By contrast, data and comment already normalize all three line-terminator forms via NEWLINES_RE = /(\r\n|\r|\n)/g, so they are not affected.

Proof of concept

import {encode} from 'eventsource-encoder'

// Attacker-controlled value flows into `event`
const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}'

console.log(encode({event: userSuppliedTopic, data: 'hello'}))

Output:

event: message
event: admin
data: {"role":"admin"}
data: hello

The browser sees two events: a forged admin event with attacker-chosen payload, followed by the legitimate message event. The same primitive works through id for any string id value.

Impact

If untrusted input is passed into the event or id field of a message, an attacker can:

Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)
Inject additional SSE fields (data:, id:, retry:) into the stream
Split a single encode() call into multiple distinct browser events
Override the client's Last-Event-ID via injected id: lines

The vulnerability requires that an application places attacker-controlled data into event or id. Applications that only put trusted, statically-defined values into these fields are not affected.

Patches

Fixed in eventsource-encoder@1.0.2. The event and string id fields are now validated; any value containing \r or \n causes the encoder to throw a TypeError rather than emit a malformed stream.

Workarounds

If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to encode / encodeMessage:

function safeSingleLine(value) {
  if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line')
  return value
}

encode({event: safeSingleLine(topic), id: safeSingleLine(id), data})

Resources

Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385
SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream

Credit

Discovered while reviewing in light of GHSA-4hxc-9384-m385.

Severity

5.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "eventsource-encoder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:49:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\\n`, `\\r`, or `\\r\\n`) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to [GHSA-4hxc-9384-m385](https://github.com/advisories/GHSA-4hxc-9384-m385) (h3), but the vulnerable fields are `event`/`id` rather than `data`/`comment`. These are less likely to be user-controllable, but should still be sanitized.\n\n### Details\n\nIn `src/encode.ts`, `encodeMessage` interpolates `event` and `id` into the output without inspecting them for line terminators:\n\n```ts\nif (message.event) {\n  output += `event: ${message.event}\\n`\n}\n// ...\nif (typeof message.id === \u0027string\u0027 || typeof message.id === \u0027number\u0027) {\n  output += `id: ${message.id}\\n`\n}\n```\n\nThe SSE specification treats `\\r`, `\\n`, and `\\r\\n` as line terminators. A `\\n` (or `\\r`) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.\n\nBy contrast, `data` and `comment` already normalize all three line-terminator forms via `NEWLINES_RE = /(\\r\\n|\\r|\\n)/g`, so they are not affected.\n\n### Proof of concept\n\n```js\nimport {encode} from \u0027eventsource-encoder\u0027\n\n// Attacker-controlled value flows into `event`\nconst userSuppliedTopic = \u0027message\\nevent: admin\\ndata: {\"role\":\"admin\"}\u0027\n\nconsole.log(encode({event: userSuppliedTopic, data: \u0027hello\u0027}))\n```\n\nOutput:\n\n```\nevent: message\nevent: admin\ndata: {\"role\":\"admin\"}\ndata: hello\n\n```\n\nThe browser sees two events: a forged `admin` event with attacker-chosen payload, followed by the legitimate `message` event. The same primitive works through `id` for any string id value.\n\n### Impact\n\nIf untrusted input is passed into the `event` or `id` field of a message, an attacker can:\n\n- Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)\n- Inject additional SSE fields (`data:`, `id:`, `retry:`) into the stream\n- Split a single `encode()` call into multiple distinct browser events\n- Override the client\u0027s `Last-Event-ID` via injected `id:` lines\n\nThe vulnerability requires that an application places attacker-controlled data into `event` or `id`. Applications that only put trusted, statically-defined values into these fields are not affected.\n\n### Patches\n\nFixed in `eventsource-encoder@1.0.2`. The `event` and string `id` fields are now validated; any value containing `\\r` or `\\n` causes the encoder to throw a `TypeError` rather than emit a malformed stream.\n\n### Workarounds\n\nIf users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to `encode` / `encodeMessage`:\n\n```js\nfunction safeSingleLine(value) {\n  if (/[\\r\\n]/.test(value)) throw new Error(\u0027SSE field must be single-line\u0027)\n  return value\n}\n\nencode({event: safeSingleLine(topic), id: safeSingleLine(id), data})\n```\n\n### Resources\n\n- Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385\n- SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream\n\n### Credit\n\nDiscovered while reviewing in light of GHSA-4hxc-9384-m385.",
  "id": "GHSA-m9g3-3g99-mhpx",
  "modified": "2026-05-08T20:49:40Z",
  "published": "2026-05-08T20:49:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rexxars/eventsource-encoder"
    },
    {
      "type": "WEB",
      "url": "https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44214 (GCVE-0-2026-44214)

FKIE_CVE-2026-44214

GHSA-M9G3-3G99-MHPX

Summary

Details

Proof of concept

Impact

Patches

Workarounds

Resources

Credit

Tags

Sightings

Nomenclature