CVE-2026-44214 rexxars CVE debrief

Who should care

Organizations using eventsource-encoder for Server-Sent Events functionality, particularly applications that incorporate user-controlled data into SSE message fields. Development teams building real-time notification systems, live data feeds, or streaming APIs with this library should prioritize patching.

Technical summary

The eventsource-encoder library serializes EventSourceMessage objects into SSE format without validating or escaping the `event` and `id` field values. SSE protocol uses line terminators to delimit fields and messages. An attacker supplying crafted input containing `n`, `r`, or `rn` characters can prematurely terminate fields and inject arbitrary SSE protocol content. This violates the expected message structure and can cause downstream consumers to parse attacker-controlled content as legitimate SSE events. The vulnerability requires network access to the application using the library and attacker control over message field content, but no authentication is required. The scope change (S:C) in CVSS reflects potential impact on downstream components consuming the SSE stream.

Defensive priority

medium

Recommended defensive actions

• Upgrade eventsource-encoder to version 1.0.2 or later
• Validate and sanitize all user-controlled input before passing to EventSourceMessage event or id fields
• Implement output encoding for SSE field values to neutralize line terminator characters
• Review application logs for anomalous SSE message patterns indicating potential injection attempts
• If immediate patching is not possible, implement a wrapper that sanitizes n, r, and rn sequences in event and id fields before library invocation

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-m9g3-3g99-mhpx. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. Fix version 1.0.2 explicitly mentioned in advisory.

Official resources