CVE-2022-35948 is a vulnerability classified as CWE-93 (Improper Neutralization of CRLF Sequences, commonly known as CRLF Injection) affecting the Node.js HTTP/1.1 client library called undici, specifically versions up to and including 5.8.0. Undici is a high-performance HTTP client written from scratch for Node.js environments. The vulnerability arises when unsanitized user input is used directly in HTTP request headers, particularly the 'content-type' header. An attacker can inject carriage return and line feed (CRLF) sequences into the header value, which allows them to manipulate the HTTP request by effectively splitting it into multiple requests. For example, by injecting '\r\n\r\nGET /foo2 HTTP/1.1' into the content-type header, the client sends two HTTP requests in a single API call: the original request and a second, attacker-controlled request. This can lead to request smuggling, cache poisoning, or other HTTP request manipulation attacks depending on the server and intermediary behavior. The vulnerability was patched in undici version 5.8.1. Until then, mitigation involves sanitizing any user input used in HTTP headers to remove CRLF characters. No known exploits have been reported in the wild, but the vulnerability presents a significant risk in environments where untrusted input is used directly in HTTP headers without validation or sanitization. The issue is rooted in improper neutralization of special characters in output used by downstream components, which can lead to injection attacks and unexpected behavior in HTTP communications.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Node.js applications using undici versions <= 5.8.0 for HTTP client functionality. Exploitation could allow attackers to perform HTTP request smuggling or injection attacks, potentially bypassing security controls, manipulating web caches, or causing unintended request routing. This could lead to unauthorized access, data leakage, or disruption of services. Organizations in sectors with high reliance on web services and APIs—such as finance, telecommunications, healthcare, and government—are particularly at risk. The ability to inject additional HTTP requests could also facilitate further attacks like cross-site scripting (XSS), session hijacking, or server-side request forgery (SSRF) if combined with other vulnerabilities. Although no exploits are currently known in the wild, the ease of exploitation (no authentication or user interaction required if unsanitized input is used) means that attackers could leverage this vulnerability in automated attacks or targeted campaigns. The impact on confidentiality, integrity, and availability depends on the context of use but can be moderate to high if exploited effectively.

1. Upgrade undici to version 5.8.1 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict input validation and sanitization on all user-supplied data used in HTTP headers, especially the 'content-type' header, to remove CRLF characters and other control characters that could be used for injection. 3. Employ security-focused HTTP libraries or middleware that automatically sanitize headers and prevent injection attacks. 4. Conduct code reviews and static analysis focusing on HTTP header construction to identify and remediate unsafe usage of user input. 5. Monitor network traffic for anomalous HTTP requests that may indicate exploitation attempts, such as multiple requests sent in a single HTTP call or unexpected header values. 6. Educate developers about the risks of CRLF injection and secure coding practices related to HTTP header handling. 7. For critical services, consider implementing Web Application Firewalls (WAFs) with rules to detect and block CRLF injection patterns. 8. Maintain an inventory of Node.js applications and dependencies to ensure timely patching and vulnerability management.