Executive Summary

CVE-2026-44214 is a vulnerability in eventsource-encoder versions 1.0.1 and earlier where the event and id fields of an EventSourceMessage are not sanitized before being serialized.

This lack of sanitization allows an attacker who controls either the event or id field to inject arbitrary Server-Sent Events (SSE) line terminators such as \n, \r, or \r\n.

By injecting these line terminators, the attacker can forge additional SSE fields or even entire messages on the stream, manipulating the output.

This vulnerability was fixed in version 1.0.2 by validating and rejecting values containing line terminators in these fields.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability primarily impacts data integrity by allowing an attacker to inject forged Server-Sent Events messages into the stream.

If an application uses untrusted input in the event or id fields, an attacker can manipulate the output stream, potentially causing unexpected behavior or misleading information to be processed by clients.

Applications that only use trusted values for these fields are not affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when eventsource-encoder versions 1.0.1 and earlier serialize event or id fields containing untrusted input with line terminators (\n, \r, or \r\n), allowing injection of forged SSE messages.

To detect this vulnerability on your system, you should check the version of eventsource-encoder in use. Versions prior to 1.0.2 are vulnerable.

Additionally, you can inspect network traffic or logs for Server-Sent Events streams containing unexpected line terminators or forged SSE fields/messages.

While no specific commands are provided, you can use commands like the following to check the installed package version:

• For npm-based projects: `npm list eventsource-encoder`
• For yarn-based projects: `yarn list --pattern eventsource-encoder`

To inspect network traffic for suspicious SSE messages, you might use tools like `tcpdump` or `Wireshark` to capture and analyze HTTP streams for unexpected line terminators in SSE event or id fields.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade eventsource-encoder to version 1.0.2 or later, where the vulnerability is fixed by validating and rejecting event and id fields containing line terminators.

If upgrading is not immediately possible, sanitize all inputs to the event and id fields to remove any line terminators (\n, \r, or \r\n) before passing them to the encoder.

Also, ensure that only trusted values are used in these fields to reduce the risk of injection.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability primarily impacts data integrity by allowing an attacker to inject arbitrary Server-Sent Events line terminators and forge additional SSE fields or messages. While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to manipulate event streams could potentially lead to unauthorized data manipulation or transmission, which may affect compliance with regulations that require data integrity and protection against unauthorized data alteration.

However, since the vulnerability requires untrusted input in the event or id fields and does not directly expose sensitive data or confidentiality breaches, its impact on compliance depends on the specific application context and how the eventsource-encoder is used within a system handling regulated data.

Useful 0 Not Useful 0