sse-channel: SSE Injection via unsanitized event fields
Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. Event Spoofing: Attacker can inject arbitrary SSE events into the stream Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones