rexxars/eventsource-encoder

Releases3

Frequency9 months 1 week

Last Release 2 months ago

Stars4

Encodes events as well-formed EventSource/Server Sent Event (SSE) messages

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-44214 ↗	May 26, 2026Tuesday, 26 May 2026, 20:16	5.8 MEDIUM	—
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.