Description
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Published: 2026-05-12
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in sse-channel allows an attacker to inject arbitrary messages into an SSE stream by sending unsanitized values for the event, retry, or id fields. This can result in spoofed events that appear legitimate to clients, potentially leading to confusion, traffic hijacking, or the execution of unintended actions. The weakness is a form of SSE injection (CWE‑93) and is present in all releases before 4.0.1.

Affected Systems

The affected product is the sse-channel library from rexxars, used in any node.js application that streams SSE responses via an http request/response. All versions prior to 4.0.1 are vulnerable; upgrading to 4.0.1 or later resolves the issue.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate risk, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this by crafting HTTP requests containing arbitrary values for the event, retry, or id fields; the lack of input sanitization permits message injection. If the SSE endpoint is publicly accessible, the exploit can be performed remotely, making it a significant threat to applications that rely on trust in the streamed events.

Generated by OpenCVE AI on May 12, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update sse-channel to version 4.0.1 or newer.
  • Restrict or validate user‑supplied values for event, retry, and id fields before sending them through the library.
  • If an upgrade is unavailable, configure the library or your application to ignore or sanitize any user‑supplied data that populates these fields.

Generated by OpenCVE AI on May 12, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-84hm-wfh8-c5pg sse-channel: SSE Injection via unsanitized event fields
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Rexxars
Rexxars sse-channel
Vendors & Products Rexxars
Rexxars sse-channel

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Title sse-channel: SSE Injection via unsanitized event fields
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rexxars Sse-channel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:52:02.383Z

Reserved: 2026-05-05T15:13:47.572Z

Link: CVE-2026-44217

cve-icon Vulnrichment

Updated: 2026-05-14T19:51:38.030Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:42.513

Modified: 2026-05-13T18:21:10.270

Link: CVE-2026-44217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:13Z

Weaknesses