PT-2026-37313 · Npm · Sse-Channel
Published
2026-05-05
·
Updated
2026-05-12
·
CVE-2026-44217
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
sse-channel versions prior to 4.0.1
Description
Implementations that allow user-provided values to be passed to the
event, retry, or id fields are susceptible to event spoofing. This allows an attacker to inject arbitrary Server-Sent Events (SSE) into the stream, which can trigger unintended behavior in frontend JavaScript EventSource listeners. Consequently, consumers of the SSE stream cannot distinguish injected events from legitimate ones, compromising data integrity.Recommendations
Update to version 4.0.1.
Do not allow user data to control
event, retry, or id fields; if necessary, sanitize the input by stripping any newlines before passing it to sse-channel.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sse-Channel