Description
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.
Published: 2026-05-26
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker with control over the event or id fields of an EventSourceMessage to insert line terminators that terminate the current field and begin new SSE fields. By injecting , , or \n characters, the attacker can forge additional fields or entire messages on the stream, which may lead to unintended client behavior or content injection.

Affected Systems

Packages from the rexxars organization that implement the eventsource‑encoder library, specifically all releases prior to version 1.0.2, are affected. The vulnerability is fixed in 1.0.2 and later releases.

Risk and Exploitability

The CVSS score of 5.8 signifies a medium severity vulnerability. No EPSS score is available and the CVE is not listed in CISA’s KEV catalogue, indicating no confirmed exploitation activity at the time of this analysis. The likely attack vector is local to the component that serializes SSE messages; an adversary must be able to supply the event or id fields to the library, which typically requires code execution or a flaw in the application using the library.

Generated by OpenCVE AI on May 26, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eventsource-encoder library to version 1.0.2 or later
  • Validate and sanitize the event and id fields before passing them to the library, limiting input to allowed characters and length
  • Perform regression testing on application SSE streams to confirm that injected line terminators are no longer processed

Generated by OpenCVE AI on May 26, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9g3-3g99-mhpx eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
History

Tue, 26 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.
Title eventsource-encoder: SSE event injection via unsanitized event and id fields
Weaknesses CWE-113
CWE-93
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T19:34:32.273Z

Reserved: 2026-05-05T15:13:47.572Z

Link: CVE-2026-44214

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T20:16:19.803

Modified: 2026-05-26T20:26:21.620

Link: CVE-2026-44214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses