CVE-2026-44214

CVE-2026-44214 is a medium-severity security vulnerability in eventsource-encoder (npm), affecting versions <= 1.0.1. It is fixed in 1.0.2.

Summary

eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to GHSA-4hxc-9384-m385 (h3), but the vulnerable fields are event/id rather than data/comment. These are less likely to be user-controllable, but should still be sanitized.

Details

In src/encode.ts, encodeMessage interpolates event and id into the output without inspecting them for line terminators:

if (message.event) {
  output += `event: ${message.event}\n`
}
// ...
if (typeof message.id === 'string' || typeof message.id === 'number') {
  output += `id: ${message.id}\n`
}

The SSE specification treats \r, \n, and \r\n as line terminators. A \n (or \r) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.

By contrast, data and comment already normalize all three line-terminator forms via NEWLINES_RE = /(\r\n|\r|\n)/g, so they are not affected.

Proof of concept

import {encode} from 'eventsource-encoder'

// Attacker-controlled value flows into `event`
const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}'

console.log(encode({event: userSuppliedTopic, data: 'hello'}))

Output:

event: message
event: admin
data: {"role":"admin"}
data: hello

The browser sees two events: a forged admin event with attacker-chosen payload, followed by the legitimate message event. The same primitive works through id for any string id value.

Workarounds

If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to encode / encodeMessage:

function safeSingleLine(value) {
  if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line')
  return value
}

encode({event: safeSingleLine(topic), id: safeSingleLine(id), data})

Resources

Credit

Discovered while reviewing in light of GHSA-4hxc-9384-m385.

Impact

If untrusted input is passed into the event or id field of a message, an attacker can:

  • Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)
  • Inject additional SSE fields (data:, id:, retry:) into the stream
  • Split a single encode() call into multiple distinct browser events
  • Override the client's Last-Event-ID via injected id: lines

The vulnerability requires that an application places attacker-controlled data into event or id. Applications that only put trusted, statically-defined values into these fields are not affected.

CVE-2026-44214 has a CVSS score of 5.8 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.2); upgrading removes the vulnerable code path.

Affected versions

eventsource-encoder (<= 1.0.1)

Security releases

eventsource-encoder → 1.0.2 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in [email protected]. The event and string id fields are now validated; any value containing \r or \n causes the encoder to throw a TypeError rather than emit a malformed stream.

Frequently Asked Questions

  1. What is CVE-2026-44214? CVE-2026-44214 is a medium-severity security vulnerability in eventsource-encoder (npm), affecting versions <= 1.0.1. It is fixed in 1.0.2.
  2. How severe is CVE-2026-44214? CVE-2026-44214 has a CVSS score of 5.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of eventsource-encoder are affected by CVE-2026-44214? eventsource-encoder (npm) versions <= 1.0.1 is affected.
  4. Is there a fix for CVE-2026-44214? Yes. CVE-2026-44214 is fixed in 1.0.2. Upgrade to this version or later.
  5. Is CVE-2026-44214 exploitable, and should I be worried? Whether CVE-2026-44214 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44214 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44214? Upgrade eventsource-encoder to 1.0.2 or later.

Other vulnerabilities in eventsource-encoder

Stop the waste.
Protect your environment with Kodem.