You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in undici@5.8.1. The best workaround is to validate user input before passing it to the undici.request call.
mend-bolt-for-githubbot
changed the title
CVE-2022-35949 (High) detected in undici-5.7.0.tgz
CVE-2022-35949 (Critical) detected in undici-5.7.0.tgz
Jun 19, 2023
CVE-2022-35949 - Critical Severity Vulnerability
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in HEAD commit: f792eb875e9b8543f5d22192aff109986a7b281c
Found in base branch: main
undici is an HTTP/1.1 client, written from scratch for Node.js.
undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into thepath/pathname
option ofundici.request
. If a user specifies a URL such ashttp://127.0.0.1
or//127.0.0.1
js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
Instead of processing the request ashttp://example.org//127.0.0.1
(orhttp://example.org/http://127.0.0.1
whenhttp://127.0.0.1 is used
), it actually processes the request ashttp://127.0.0.1/
and sends it tohttp://127.0.0.1
. If a developer passes in user input intopath
parameter ofundici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed inundici@5.8.1
. The best workaround is to validate user input before passing it to theundici.request
call.Publish Date: 2022-08-12
URL: CVE-2022-35949
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949
Release Date: 2022-08-12
Fix Resolution: undici - 5.8.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: