Vulnerability Details : CVE-2022-32210
Potential exploit
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Products affected by CVE-2022-32210
- cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-32210
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-32210
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
2.2
|
4.2
|
NIST |
CWE ids for CVE-2022-32210
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2022-32210
-
https://hackerone.com/reports/1583680
#1583680 Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxyExploit;Issue Tracking;Third Party Advisory
-
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33
ProxyAgent vulnerable to MITM · Advisory · nodejs/undici · GitHubExploit;Third Party Advisory
Jump to