CVE-2022-35949 : undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulne

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

Published 2022-08-12 23:15:08

Updated 2023-03-28 17:10:19

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF)

Products affected by CVE-2022-35949

Nodejs » Undici » For Node.js
Versions up to, including, (<=) 5.8.1
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-35949

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 42 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-35949

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-35949

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-35949

https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895

Merge pull request from GHSA-8qr4-xgw6-wmr3 · nodejs/undici@124f7eb · GitHub
Patch;Third Party Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3

`undici.request` vulnerable to SSRF using absolute URL on `pathname` · Advisory · nodejs/undici · GitHub
Exploit;Mitigation;Third Party Advisory
https://github.com/nodejs/undici/releases/tag/v5.8.2

Release v5.8.2 · nodejs/undici · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-35949

Products affected by CVE-2022-35949

Exploit prediction scoring system (EPSS) score for CVE-2022-35949

CVSS scores for CVE-2022-35949

CWE ids for CVE-2022-35949

References for CVE-2022-35949