CVE-2022-32210

2022-07-1415:15:08

CWE-295

hackerone

web.nvd.nist.gov

undici

proxyagent

mitm

https

security

vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

46.4%

JSON

Undici.ProxyAgent never verifies the remote server’s certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy’s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Affected configurations

Nvd

Vulners

Node

nodejsundiciRange4.8.2–5.5.1node.js

VendorProductVersionCPE
nodejsundici*cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
nodejs	undici	*	cpe:2.3:a:nodejs:undici::::::node.js::*

CNA Affected

[
  {
    "product": "https://github.com/nodejs/undici",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0"
      }
    ]
  }
]