Skip to main content

sse-channel CVE-2026-44217

MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-05 https://github.com/rexxars/sse-channel GHSA-84hm-wfh8-c5pg
6.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 20:22 NVD
6.6 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 23:01 vuln.today
Analysis Generated
May 05, 2026 - 23:01 vuln.today

DescriptionGitHub Advisory

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

  • Event Spoofing: Attacker can inject arbitrary SSE events into the stream
  • Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
  • Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

AnalysisAI

Event spoofing in sse-channel (npm) allows attackers to inject arbitrary Server-Sent Events (SSE) messages by passing unsanitized user input to the event, retry, or id fields, enabling client-side manipulation and data integrity violations. Affects sse-channel versions 4.0.0 and earlier; patched in v4.0.1. No public exploit code identified at time of analysis, but vulnerability is straightforward to exploit if user-controlled data reaches SSE field parameters.

Technical ContextAI

sse-channel is an npm package for generating Server-Sent Events (SSE) streams. Server-Sent Events are transmitted as text using the HTTP protocol with MIME type text/event-stream, where each event is delimited by double newlines. The protocol defines specific field names (event, id, retry, data) that control stream behavior. The CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) classification indicates the root cause is improper input validation - specifically, the failure to sanitize newline characters (CRLF/LF) in user-supplied values before embedding them into SSE field headers. An attacker injecting a newline into the event, retry, or id field can terminate the current field and introduce arbitrary new fields or events into the stream, effectively spoofing event identity and triggering unintended EventSource listeners on frontend clients consuming the stream.

RemediationAI

Primary fix: Upgrade sse-channel to version 4.0.1 or later immediately. For applications unable to upgrade immediately, implement input sanitization at the application level: remove or escape all newline characters (CR, LF) and carriage returns from user input before passing data to the event, retry, or id fields of sse-channel - this prevents injection of new SSE directives. Additionally, validate that user-supplied values for these fields conform to expected formats (e.g., event names should match a whitelist of legitimate event types). Use the GitHub advisory (https://github.com/advisories/GHSA-84hm-wfh8-c5pg) as reference for patch confirmation and additional context.

Share

CVE-2026-44217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy