9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
60.5%
undici is an HTTP/1.1 client, written from scratch for Node.js.undici
is
vulnerable to SSRF (Server-side Request Forgery) when an application takes
in user input into the path/pathname
option of undici.request
. If a
user specifies a URL such as http://127.0.0.1
or //127.0.0.1
js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
Instead of processing
the request as http://example.org//127.0.0.1
(or
http://example.org/http://127.0.0.1
when http://127.0.0.1 is used
), it
actually processes the request as http://127.0.0.1/
and sends it to
http://127.0.0.1
. If a developer passes in user input into path
parameter of undici.request
, it can result in an SSRF as they will
assume that the hostname cannot change, when in actual fact it can change
because the specified path parameter is combined with the base URL. This
issue was fixed in [email protected]
. The best workaround is to validate user
input before passing it to the undici.request
call.
github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 (v5.8.2)
github.com/nodejs/undici/releases/tag/v5.8.2
github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
launchpad.net/bugs/cve/CVE-2022-35949
nvd.nist.gov/vuln/detail/CVE-2022-35949
security-tracker.debian.org/tracker/CVE-2022-35949
www.cve.org/CVERecord?id=CVE-2022-35949
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
60.5%