CVE-2022-35949
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-35949
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35949.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-35949
- Aliases
- Related
- Published
- 2022-08-12T23:15:07Z
- Modified
- 2024-10-12T09:48:58.322940Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
undici is an HTTP/1.1 client, written from scratch for Node.js.
undiciis vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into thepath/pathnameoption ofundici.request. If a user specifies a URL such ashttp://127.0.0.1or//127.0.0.1js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})Instead of processing the request ashttp://example.org//127.0.0.1(orhttp://example.org/http://127.0.0.1whenhttp://127.0.0.1 is used), it actually processes the request ashttp://127.0.0.1/and sends it tohttp://127.0.0.1. If a developer passes in user input intopathparameter ofundici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed inundici@5.8.1. The best workaround is to validate user input before passing it to theundici.requestcall. - References
Affected packages
Debian:12 / node-undici
Package
- Name
- node-undici
- Purl
- pkg:deb/debian/node-undici?arch=source
Debian:13 / node-undici
Package
- Name
- node-undici
- Purl
- pkg:deb/debian/node-undici?arch=source
Git / github.com/nodejs/undici
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/undici
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed