9 matches found
CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
DEBIAN-CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
Design/Logic Flaw
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
CVE-2022-32210
CVE-2022-32210 concerns Undici’s ProxyAgent, which, per the connected document, does not verify the remote server’s TLS certificate and propagates all request/response data to the proxy. This can enable a proxy to perform a Man‑in‑the‑Middle on HTTPS traffic, and if the proxy URL is HTTP, nominal...
CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
ProxyAgent vulnerable to MITM
Description Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually...
Internet Bug Bounty: Undici ProxyAgent vulnerable to MITM
Full GitHub advisory summarizing the issue is here: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1583680 This was fixed & disclosed in Undici v5.5.1. This primarily affects Undici, a...
Node.js: Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy
Summary: When using Undici with its ProxyAgent, it does not use CONNECT or correctly verify the upstream server's HTTPS certificate. Description: This affects both Undici itself and global fetch in Node 18 when used with Undici's ProxyAgent. I've submitted this here for Node as it affects global...