GHSA-84hm-wfh8-c5pg MEDIUM npm/sse-channel

CVE: CVE-2026-44217

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

• Event Spoofing: Attacker can inject arbitrary SSE events into the stream
• Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
• Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44217 | 📅 2026-05-05