CVE-2022-32210

2022-07-1415:15:08

Debian Security Bug Tracker

security-tracker.debian.org

undici.proxyagent

proxy

mitm

https

traffic

plain-text

http

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.001

Percentile

46.4%

JSON

Undici.ProxyAgent never verifies the remote server’s certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy’s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

OSVersionArchitecturePackageVersionFilename
Debian12allnode-undici< 5.6.1+dfsg1+~cs18.9.16-1node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb
Debian999allnode-undici< 5.6.1+dfsg1+~cs18.9.16-1node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb
Debian13allnode-undici< 5.6.1+dfsg1+~cs18.9.16-1node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-undici	< 5.6.1+dfsg1+~cs18.9.16-1	node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb
Debian	999	all	node-undici	< 5.6.1+dfsg1+~cs18.9.16-1	node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb
Debian	13	all	node-undici	< 5.6.1+dfsg1+~cs18.9.16-1	node-undici_5.6.1+dfsg1+~cs18.9.16-1_all.deb