GHSA-M9G3-3G99-MHPX

Vulnerability from github – Published: 2026-05-08 20:49 – Updated: 2026-05-08 20:49
VLAI
Summary
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
Details

Summary

eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to GHSA-4hxc-9384-m385 (h3), but the vulnerable fields are event/id rather than data/comment. These are less likely to be user-controllable, but should still be sanitized.

Details

In src/encode.ts, encodeMessage interpolates event and id into the output without inspecting them for line terminators:

if (message.event) {
  output += `event: ${message.event}\n`
}
// ...
if (typeof message.id === 'string' || typeof message.id === 'number') {
  output += `id: ${message.id}\n`
}

The SSE specification treats \r, \n, and \r\n as line terminators. A \n (or \r) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.

By contrast, data and comment already normalize all three line-terminator forms via NEWLINES_RE = /(\r\n|\r|\n)/g, so they are not affected.

Proof of concept

import {encode} from 'eventsource-encoder'

// Attacker-controlled value flows into `event`
const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}'

console.log(encode({event: userSuppliedTopic, data: 'hello'}))

Output:

event: message
event: admin
data: {"role":"admin"}
data: hello

The browser sees two events: a forged admin event with attacker-chosen payload, followed by the legitimate message event. The same primitive works through id for any string id value.

Impact

If untrusted input is passed into the event or id field of a message, an attacker can:

  • Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)
  • Inject additional SSE fields (data:, id:, retry:) into the stream
  • Split a single encode() call into multiple distinct browser events
  • Override the client's Last-Event-ID via injected id: lines

The vulnerability requires that an application places attacker-controlled data into event or id. Applications that only put trusted, statically-defined values into these fields are not affected.

Patches

Fixed in eventsource-encoder@1.0.2. The event and string id fields are now validated; any value containing \r or \n causes the encoder to throw a TypeError rather than emit a malformed stream.

Workarounds

If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to encode / encodeMessage:

function safeSingleLine(value) {
  if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line')
  return value
}

encode({event: safeSingleLine(topic), id: safeSingleLine(id), data})

Resources

  • Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385
  • SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream

Credit

Discovered while reviewing in light of GHSA-4hxc-9384-m385.

Severity
5.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "eventsource-encoder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:49:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\\n`, `\\r`, or `\\r\\n`) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to [GHSA-4hxc-9384-m385](https://github.com/advisories/GHSA-4hxc-9384-m385) (h3), but the vulnerable fields are `event`/`id` rather than `data`/`comment`. These are less likely to be user-controllable, but should still be sanitized.\n\n### Details\n\nIn `src/encode.ts`, `encodeMessage` interpolates `event` and `id` into the output without inspecting them for line terminators:\n\n```ts\nif (message.event) {\n  output += `event: ${message.event}\\n`\n}\n// ...\nif (typeof message.id === \u0027string\u0027 || typeof message.id === \u0027number\u0027) {\n  output += `id: ${message.id}\\n`\n}\n```\n\nThe SSE specification treats `\\r`, `\\n`, and `\\r\\n` as line terminators. A `\\n` (or `\\r`) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.\n\nBy contrast, `data` and `comment` already normalize all three line-terminator forms via `NEWLINES_RE = /(\\r\\n|\\r|\\n)/g`, so they are not affected.\n\n### Proof of concept\n\n```js\nimport {encode} from \u0027eventsource-encoder\u0027\n\n// Attacker-controlled value flows into `event`\nconst userSuppliedTopic = \u0027message\\nevent: admin\\ndata: {\"role\":\"admin\"}\u0027\n\nconsole.log(encode({event: userSuppliedTopic, data: \u0027hello\u0027}))\n```\n\nOutput:\n\n```\nevent: message\nevent: admin\ndata: {\"role\":\"admin\"}\ndata: hello\n\n```\n\nThe browser sees two events: a forged `admin` event with attacker-chosen payload, followed by the legitimate `message` event. The same primitive works through `id` for any string id value.\n\n### Impact\n\nIf untrusted input is passed into the `event` or `id` field of a message, an attacker can:\n\n- Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)\n- Inject additional SSE fields (`data:`, `id:`, `retry:`) into the stream\n- Split a single `encode()` call into multiple distinct browser events\n- Override the client\u0027s `Last-Event-ID` via injected `id:` lines\n\nThe vulnerability requires that an application places attacker-controlled data into `event` or `id`. Applications that only put trusted, statically-defined values into these fields are not affected.\n\n### Patches\n\nFixed in `eventsource-encoder@1.0.2`. The `event` and string `id` fields are now validated; any value containing `\\r` or `\\n` causes the encoder to throw a `TypeError` rather than emit a malformed stream.\n\n### Workarounds\n\nIf users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to `encode` / `encodeMessage`:\n\n```js\nfunction safeSingleLine(value) {\n  if (/[\\r\\n]/.test(value)) throw new Error(\u0027SSE field must be single-line\u0027)\n  return value\n}\n\nencode({event: safeSingleLine(topic), id: safeSingleLine(id), data})\n```\n\n### Resources\n\n- Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385\n- SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream\n\n### Credit\n\nDiscovered while reviewing in light of GHSA-4hxc-9384-m385.",
  "id": "GHSA-m9g3-3g99-mhpx",
  "modified": "2026-05-08T20:49:40Z",
  "published": "2026-05-08T20:49:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rexxars/eventsource-encoder"
    },
    {
      "type": "WEB",
      "url": "https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.