CVE-2026-44214
EventSource Message Injection in eventsource-encoder
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rexxars | eventsource-encoder | to 1.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44214 is a vulnerability in eventsource-encoder versions 1.0.1 and earlier where the event and id fields of an EventSourceMessage are not sanitized before being serialized.
This lack of sanitization allows an attacker who controls either the event or id field to inject arbitrary Server-Sent Events (SSE) line terminators such as \n, \r, or \r\n.
By injecting these line terminators, the attacker can forge additional SSE fields or even entire messages on the stream, manipulating the output.
This vulnerability was fixed in version 1.0.2 by validating and rejecting values containing line terminators in these fields.
How can this vulnerability impact me? :
This vulnerability primarily impacts data integrity by allowing an attacker to inject forged Server-Sent Events messages into the stream.
If an application uses untrusted input in the event or id fields, an attacker can manipulate the output stream, potentially causing unexpected behavior or misleading information to be processed by clients.
Applications that only use trusted values for these fields are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when eventsource-encoder versions 1.0.1 and earlier serialize event or id fields containing untrusted input with line terminators (\n, \r, or \r\n), allowing injection of forged SSE messages.
To detect this vulnerability on your system, you should check the version of eventsource-encoder in use. Versions prior to 1.0.2 are vulnerable.
Additionally, you can inspect network traffic or logs for Server-Sent Events streams containing unexpected line terminators or forged SSE fields/messages.
While no specific commands are provided, you can use commands like the following to check the installed package version:
- For npm-based projects: `npm list eventsource-encoder`
- For yarn-based projects: `yarn list --pattern eventsource-encoder`
To inspect network traffic for suspicious SSE messages, you might use tools like `tcpdump` or `Wireshark` to capture and analyze HTTP streams for unexpected line terminators in SSE event or id fields.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade eventsource-encoder to version 1.0.2 or later, where the vulnerability is fixed by validating and rejecting event and id fields containing line terminators.
If upgrading is not immediately possible, sanitize all inputs to the event and id fields to remove any line terminators (\n, \r, or \r\n) before passing them to the encoder.
Also, ensure that only trusted values are used in these fields to reduce the risk of injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily impacts data integrity by allowing an attacker to inject arbitrary Server-Sent Events line terminators and forge additional SSE fields or messages. While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to manipulate event streams could potentially lead to unauthorized data manipulation or transmission, which may affect compliance with regulations that require data integrity and protection against unauthorized data alteration.
However, since the vulnerability requires untrusted input in the event or id fields and does not directly expose sensitive data or confidentiality breaches, its impact on compliance depends on the specific application context and how the eventsource-encoder is used within a system handling regulated data.