Vulnerability-Lookup

GHSA-84HM-WFH8-C5PG

Vulnerability from github – Published: 2026-05-05 22:17 – Updated: 2026-05-13 16:27

Summary

sse-channel: SSE Injection via unsanitized event fields

Details

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

Event Spoofing: Attacker can inject arbitrary SSE events into the stream
Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

Severity

6.6 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "sse-channel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:17:02Z",
    "nvd_published_at": "2026-05-12T20:16:42Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nImplementations that allows user-provided values to be passed to `event`, `retry` or `id` fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.\n\n- **Event Spoofing:** Attacker can inject arbitrary SSE events into the stream\n- **Client-side Manipulation:** Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners\n- **Data Integrity:** Consumers of the SSE stream cannot distinguish injected events from legitimate ones\n\n### Patches\nPatch available in v4.0.1.\n\n### Workarounds\nDo not allow user data to control `event`, `retry` or `id` fields, and if you must - sanitize the input before passing it to `sse-channel`, stripping any newlines. \n\n### Resources\n\nhttps://github.com/rexxars/sse-channel/issues/42",
  "id": "GHSA-84hm-wfh8-c5pg",
  "modified": "2026-05-13T16:27:28Z",
  "published": "2026-05-05T22:17:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rexxars/sse-channel/issues/42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rexxars/sse-channel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sse-channel: SSE Injection via unsanitized event fields"
}

CVE-2026-44217 (GCVE-0-2026-44217)

Vulnerability from cvelistv5 – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52

Title

sse-channel: SSE Injection via unsanitized event fields

Summary

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.

Severity

6.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/rexxars/sse-channel/security/a…	x_refsource_CONFIRM
https://github.com/rexxars/sse-channel/issues/42	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
rexxars	sse-channel	Affected: < 4.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44217",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T19:50:24.505003Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:52:02.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sse-channel",
          "vendor": "rexxars",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T19:51:06.910Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
        },
        {
          "name": "https://github.com/rexxars/sse-channel/issues/42",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rexxars/sse-channel/issues/42"
        }
      ],
      "source": {
        "advisory": "GHSA-84hm-wfh8-c5pg",
        "discovery": "UNKNOWN"
      },
      "title": "sse-channel: SSE Injection via unsanitized event fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44217",
    "datePublished": "2026-05-12T19:51:06.910Z",
    "dateReserved": "2026-05-05T15:13:47.572Z",
    "dateUpdated": "2026-05-14T19:52:02.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted