The eventsource-encoder library versions before 1.0.2 do not properly neutralize CRLF sequences in the event or id fields of EventSourceMessage objects. This improper neutralization (CWE-93) enables an attacker who can control these fields to inject line terminators (\n, \r, or \r\n) into the serialized Server-Sent Events stream. As a result, the attacker can forge additional SSE fields or entire messages, potentially manipulating the event stream consumed by clients. The issue is addressed in version 1.0.2 of the library.

An attacker able to supply crafted event or id fields can inject arbitrary line terminators into the SSE stream, allowing them to forge additional SSE fields or messages. This can lead to injection of unintended data into the event stream, potentially causing clients to process malicious or misleading events. The vulnerability does not impact confidentiality or availability but affects integrity of the SSE messages.

Upgrade to eventsource-encoder version 1.0.2 or later, where this vulnerability is fixed by proper sanitization of the event and id fields. Since no official patch or remediation level is explicitly stated beyond the version fix, applying this version upgrade is the recommended remediation. There are no vendor advisories indicating that no action is required or that the issue is otherwise mitigated.