PT-2026-37313 · Npm · Sse-Channel
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-44217
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Impact
Implementations that allows user-provided values to be passed to
event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.- Event Spoofing: Attacker can inject arbitrary SSE events into the stream
- Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
- Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones
Patches
Patch available in v4.0.1.
Workarounds
Do not allow user data to control
event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.Resources
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sse-Channel