CVE-2022-35949

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-35949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35949.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35949
Aliases
Related
Published
2022-08-12T23:15:07Z
Modified
2024-10-12T09:48:58.322940Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in undici@5.8.1. The best workaround is to validate user input before passing it to the undici.request call.

References

Affected packages

Debian:12 / node-undici

Package

Name
node-undici
Purl
pkg:deb/debian/node-undici?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.2+dfsg1+~cs18.9.18.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-undici

Package

Name
node-undici
Purl
pkg:deb/debian/node-undici?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.2+dfsg1+~cs18.9.18.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/undici

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/undici
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.5
v1.2.6
v1.3.0
v1.3.1

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.1.0

v3.*

v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.3.1

v4.*

v4.0.0
v4.0.0-alpha.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.0-rc.4
v4.0.0-rc.5
v4.0.0-rc.7
v4.0.0-rc.8
v4.1.0
v4.1.1
v4.10.0
v4.10.1
v4.10.2
v4.10.3
v4.10.4
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.12.0
v4.12.2
v4.13.0
v4.14.0
v4.14.1
v4.15.0
v4.15.1
v4.16.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.5.0
v4.5.1
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.8.0
v4.8.1
v4.8.2
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5

v5.*

v5.0.0
v5.1.0
v5.1.1
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v5.5.1
v5.6.0
v5.6.1
v5.7.0
v5.8.0
v5.8.1