CVE-2022-35949 – undici

Package

Manager: npm
Name: undici
Vulnerable Version: >=0 <5.8.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00424 pctl0.61344

Details

`undici.request` vulnerable to SSRF using absolute URL on `pathname` ### Impact `undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. ### Patches This issue was fixed in `undici@5.8.1`. ### Workarounds The best workaround is to validate user input before passing it to the `undici.request` call. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document

Metadata

Created: 2022-08-18T18:59:46Z
Modified: 2023-01-18T21:52:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8qr4-xgw6-wmr3/GHSA-8qr4-xgw6-wmr3.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-8qr4-xgw6-wmr3
Finding: F100
Auto approve: 1