sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
PUBLISHED5.2CWE-93
sse-channel: SSE Injection via unsanitized event fields
Problem type
Affected products
rexxars
sse-channel
< 4.0.1 - AFFECTED
References
https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg
https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg
https://github.com/rexxars/sse-channel/issues/42
https://github.com/rexxars/sse-channel/issues/42
GitHub Security Advisories
GHSA-84hm-wfh8-c5pg
sse-channel: SSE Injection via unsanitized event fields
https://github.com/advisories/GHSA-84hm-wfh8-c5pgImpact
Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.
- Event Spoofing: Attacker can inject arbitrary SSE events into the stream
- Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
- Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones
Patches
Patch available in v4.0.1.
Workarounds
Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.
Resources
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44217Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44217",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"datePublished": "2026-05-12T19:51:06.910Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:51:06.910Z"
},
"title": "sse-channel: SSE Injection via unsanitized event fields",
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"affected": [
{
"vendor": "rexxars",
"product": "sse-channel",
"versions": [
{
"version": "< 4.0.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')",
"cweId": "CWE-93",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/rexxars/sse-channel/issues/42",
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}