Vulnerabilites related to nodejs - undici
Vulnerability from fkie_nvd
Published
2022-07-21 04:15
Modified
2024-11-21 07:04
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodejs/undici/issues/872 | Exploit, Issue Tracking, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp | Third Party Advisory | |
| security-advisories@github.com | https://hackerone.com/reports/1635514 | Permissions Required, Third Party Advisory | |
| security-advisories@github.com | https://security.netapp.com/advisory/ntap-20220909-0006/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/issues/872 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1635514 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220909-0006/ | Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "6CE17D7F-0014-4379-A243-34EA094A0E05", versionEndExcluding: "5.7.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).", }, { lang: "es", value: "Los encabezados de autorización son borrados en las redirecciones de origen cruzado. Sin embargo, los encabezados de cookies, que son encabezados confidenciales y son encabezados oficiales que son encontrados en la especificación, permanecen sin limpiar. Se presentan usuarios activos que usan los encabezados de las cookies de forma indiscriminada. Esto puede conllevar a una fuga accidental de la cookie a un sitio de terceros o un atacante malicioso que pueda controlar el objetivo de la redirección (es decir, un redireccionador abierto) para filtrar la cookie al sitio de terceros. Esto fue parcheado en versión 5.7.1. Por defecto, esta vulnerabilidad no es explotable. No habilite los redireccionamientos, es decir, \"maxRedirections: 0\" (por defecto)", }, ], id: "CVE-2022-31151", lastModified: "2024-11-21T07:04:00.370", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-07-21T04:15:12.157", references: [ { source: "security-advisories@github.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/issues/872", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { source: "security-advisories@github.com", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://hackerone.com/reports/1635514", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220909-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/issues/872", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://hackerone.com/reports/1635514", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220909-0006/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-346", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-12 23:15
Modified
2024-11-21 07:12
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/releases/tag/v5.8.2 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/releases/tag/v5.8.2 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 | Exploit, Mitigation, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "CB5541CA-AC2D-4CFD-82A9-CF1FFEEFBB08", versionEndIncluding: "5.8.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.", }, { lang: "es", value: "undici es un cliente HTTP/1.1, escrito desde cero para Node.js.\"undici\" es vulnerable a un ataque de tipo SSRF (Server-side Request Forgery) cuando una aplicación toma la **user input** en la opción \"path/pathname\" de \"undici.request\". Si un usuario especifica una URL como \"http://127.0.0.1\" o \"//127.0.0.1\" \"\"js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) \"\"\" En lugar de procesar la petición como \"http://example.org//127.0.0.1\" (o \"http://example.org/http://127.0.0.1\" cuando es usada \"http://127.0.0.1\"), en realidad procesa la petición como \"http://127.0.0.1/\" y la envía a \"http://127.0.0.1\". Si un desarrollador pasa la entrada del usuario en el parámetro \"path\" de \"undici.request\", puede resultar en un _SSRF_ ya que asumirá que el nombre del host no puede cambiar, cuando en realidad puede cambiar porque el parámetro path especificado es combinado con la URL base. Este problema ha sido corregido en \"undici@5.8.1\". La mejor mitigación es comprender la entrada del usuario antes de pasarla a la llamada \"undici.request\".", }, ], id: "CVE-2022-35949", lastModified: "2024-11-21T07:12:01.970", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-12T23:15:07.970", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-16 22:15
Modified
2024-12-17 17:50
Severity ?
3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "9EC36A81-29A1-4932-82C8-CD6067AF38AF", versionEndExcluding: "5.28.3", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "86BD557D-23A2-411A-80E5-D0F212737103", versionEndExcluding: "6.6.1", versionStartIncluding: "6.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", }, { lang: "es", value: "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici ya borró los encabezados de Autorización en redirecciones de origen cruzado, pero no borró los encabezados \"Proxy-Authentication\". Este problema se solucionó en las versiones 5.28.3 y 6.6.1. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.", }, ], id: "CVE-2024-24758", lastModified: "2024-12-17T17:50:45.633", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.5, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-16T22:15:08.160", references: [ { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/11/1", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240419-0007/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/11/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240419-0007/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-16 22:15
Modified
2024-12-17 17:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "86BD557D-23A2-411A-80E5-D0F212737103", versionEndExcluding: "6.6.1", versionStartIncluding: "6.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.", }, { lang: "es", value: "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. En las versiones afectadas, llamar a `fetch(url)` y no consumir el cuerpo entrante ((o consumirlo muy lentamente) provocará una pérdida de memoria. Este problema se solucionó en la versión 6.6.1. Se recomienda a los usuarios actualizar. Los usuarios no pueden Para actualizar debe asegurarse de consumir siempre el cuerpo entrante.", }, ], id: "CVE-2024-24750", lastModified: "2024-12-17T17:40:47.303", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-16T22:15:07.947", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240419-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240419-0006/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-15 11:21
Modified
2024-11-21 07:12
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/releases/tag/v5.8.2 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/releases/tag/v5.8.2 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "24D7C364-5958-4D55-8817-8FB01BF845F7", versionEndExcluding: "5.8.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.", }, { lang: "es", value: "undici es un cliente HTTP/1.1, escrito desde cero para Node.js.\" versiones anteriores a undici@5.8.0 incluyéndola\" los usuarios son vulnerables a una Inyección CRLF en los encabezados cuando usan entradas no saneadas como encabezados de petición, más concretamente, dentro del encabezado \"content-type\". Ejemplo: \"\"\" import { request } from \"undici\" const unsanitizedContentTypeInput = \"application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1\" await request(\"http://localhost:3000, { method: \"GET\", headers: { \"content-type\": unsanitizedContentTypeInput }, }) \"\"\" El fragmento anterior llevará a cabo dos peticiones en una sola llamada a la API \"request\": 1) \"http://localhost:3000/\" 2) \"http://localhost:3000/foo2\" Este problema fue parcheado en Undici versión v5.8.1. Sanear la entrada cuando son enviados encabezados de tipo de contenido usando la entrada del usuario como mitigación.", }, ], id: "CVE-2022-35948", lastModified: "2024-11-21T07:12:01.817", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-15T11:21:38.353", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, { lang: "en", value: "CWE-93", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-12 17:15
Modified
2024-11-21 08:26
Severity ?
3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | undici | * | |
| fedoraproject | fedora | 37 | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "6264C00F-837E-4B54-86E0-855BA2AFC80B", versionEndExcluding: "5.26.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.", }, { lang: "es", value: "Undici es un cliente HTTP/1.1 escrito desde cero para Node.js. Antes de la versión 5.26.2, Undici ya borraba los encabezados de Autorización en redireccionamientos entre orígenes, pero no borraba los encabezados de \"Cookie\". Por diseño, los encabezados de \"cookie\" son encabezados de solicitud prohibidos, lo que no permite que se establezcan en RequestInit.headers en entornos de navegador. Dado que undici maneja los encabezados de manera más liberal que la especificación, hubo una desconexión con las suposiciones que hizo la especificación y la implementación de fetch por parte de undici. Como tal, esto puede provocar una fuga accidental de cookies a un sitio de terceros o que un atacante malicioso que pueda controlar el objetivo de la redirección (es decir, un redirector abierto) filtre la cookie al sitio de terceros. Esto fue parcheado en la versión 5.26.2. No se conocen workarounds.", }, ], id: "CVE-2023-45143", lastModified: "2024-11-21T08:26:26.050", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.5, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-12T17:15:10.087", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.26.2", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", }, { source: "security-advisories@github.com", tags: [ "Permissions Required", ], url: "https://hackerone.com/reports/2166948", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.26.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://hackerone.com/reports/2166948", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-07-14 15:15
Modified
2024-11-21 07:05
Severity ?
Summary
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/1583680 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1583680 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "01EE431C-9AF4-4FF9-BB77-516E07FD8D18", versionEndExcluding: "5.5.1", versionStartIncluding: "4.8.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.", }, { lang: "es", value: "\"Undici.ProxyAgent\" nunca verifica el certificado del servidor remoto, y siempre expone todos los datos de petición y respuesta al proxy. Esto significa inesperadamente que los proxies pueden MitM todo el tráfico HTTPS, y si la URL del proxy es HTTP entonces también significa que las peticiones nominalmente HTTPS son realmente enviadas por medio de texto plano HTTP entre Undici y el servidor proxy", }, ], id: "CVE-2022-32210", lastModified: "2024-11-21T07:05:55.847", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-07-14T15:15:08.183", references: [ { source: "support@hackerone.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", }, { source: "support@hackerone.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://hackerone.com/reports/1583680", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://hackerone.com/reports/1583680", }, ], sourceIdentifier: "support@hackerone.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "support@hackerone.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-16 18:15
Modified
2024-11-21 07:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "0C8DD628-9AE0-4AB8-9C30-28B60906F606", versionEndExcluding: "5.19.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.", }, ], id: "CVE-2023-24807", lastModified: "2024-11-21T07:48:26.040", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-16T18:15:12.340", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", }, { source: "security-advisories@github.com", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://hackerone.com/bugs?report_id=1784449", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://hackerone.com/bugs?report_id=1784449", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20230324-0010/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-1333", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-04-04 15:15
Modified
2024-12-18 19:21
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | undici | * | |
| nodejs | undici | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "27A8308B-0EB3-454E-A010-12138A99119D", versionEndExcluding: "5.28.4", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "89E57BC8-475F-4BE0-8BB4-285512F8D177", versionEndExcluding: "6.11.1", versionStartIncluding: "6.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", matchCriteriaId: "CA277A6C-83EC-4536-9125-97B84C4FAF59", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", }, { lang: "es", value: "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Un atacante puede alterar la opción `integridad` pasada a `fetch()`, permitiendo que `fetch()` acepte solicitudes como válidas incluso si han sido manipuladas. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1.", }, ], id: "CVE-2024-30261", lastModified: "2024-12-18T19:21:11.997", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.6, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-04-04T15:15:39.460", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Issue Tracking", ], url: "https://hackerone.com/reports/2377760", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", ], url: "https://hackerone.com/reports/2377760", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-16 18:15
Modified
2024-11-21 07:47
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", matchCriteriaId: "6E9FAEC6-2D3A-4CBE-859F-11BCECC4F724", versionEndExcluding: "16.19.1", versionStartIncluding: "16.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", matchCriteriaId: "80500AD0-17C2-4698-AE03-1C6782FD38B0", versionEndExcluding: "18.14.1", versionStartIncluding: "18.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", matchCriteriaId: "8F4FCD16-4B9F-44B9-80DD-D024759CAB10", versionEndExcluding: "19.6.1", versionStartIncluding: "19.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "0B81E26E-5BF8-495E-9544-E9688B6AE5BA", versionEndExcluding: "5.19.1", versionStartIncluding: "2.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.", }, ], id: "CVE-2023-23936", lastModified: "2024-11-21T07:47:08.223", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-16T18:15:10.877", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://hackerone.com/reports/1820955", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://hackerone.com/reports/1820955", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-93", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-74", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-07-19 21:15
Modified
2024-11-21 07:04
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodejs/undici/releases/tag/v5.8.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc | Exploit, Third Party Advisory | |
| security-advisories@github.com | https://hackerone.com/reports/409943 | Exploit, Third Party Advisory | |
| security-advisories@github.com | https://security.netapp.com/advisory/ntap-20220915-0002/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/releases/tag/v5.8.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/409943 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220915-0002/ | Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "9673DD56-07E3-4AA7-A2E1-BAF0D820DFA0", versionEndExcluding: "5.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue.", }, { lang: "es", value: "undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Es posible inyectar secuencias de tipo CRLF en los encabezados de las peticiones en undici en versiones anteriores a 5.7.1. En versión 5.8.0 ha sido publicada una corrección. Una corrección a este problema es sanear todas las cabeceras HTTP de fuentes no confiables para eliminar las secuencias de tipo CRLF.", }, ], id: "CVE-2022-31150", lastModified: "2024-11-21T07:04:00.207", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-07-19T21:15:15.160", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.0", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://hackerone.com/reports/409943", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220915-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://hackerone.com/reports/409943", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220915-0002/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-93", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-04-04 16:15
Modified
2025-02-13 18:17
Severity ?
3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | undici | * | |
| nodejs | undici | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "27A8308B-0EB3-454E-A010-12138A99119D", versionEndExcluding: "5.28.4", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", matchCriteriaId: "89E57BC8-475F-4BE0-8BB4-285512F8D177", versionEndExcluding: "6.11.1", versionStartIncluding: "6.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", matchCriteriaId: "CA277A6C-83EC-4536-9125-97B84C4FAF59", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", }, { lang: "es", value: "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1.", }, ], id: "CVE-2024-30260", lastModified: "2025-02-13T18:17:58.480", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.5, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-04-04T16:15:08.877", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", }, { source: "security-advisories@github.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-285", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2024-30260
Vulnerability from cvelistv5
Published
2024-04-04 15:15
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-30260", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-05T13:43:37.003793Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:38:49.201Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:32:05.438Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", }, { name: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", }, { name: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< 5.28.4", }, { status: "affected", version: ">= 6.0.0, < 6.11.1", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-285", description: "CWE-285: Improper Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-19T23:06:41.342Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", }, { name: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", }, { name: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, ], source: { advisory: "GHSA-m4v8-wqvr-p9f7", discovery: "UNKNOWN", }, title: "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-30260", datePublished: "2024-04-04T15:15:44.653Z", dateReserved: "2024-03-26T12:52:00.934Z", dateUpdated: "2025-02-13T17:47:47.503Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31151
Vulnerability from cvelistv5
Published
2022-07-20 23:00
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp | x_refsource_CONFIRM | |
| https://github.com/nodejs/undici/issues/872 | x_refsource_MISC | |
| https://hackerone.com/reports/1635514 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220909-0006/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:11:39.602Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/issues/872", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/1635514", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220909-0006/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< 5.7.1", }, ], }, ], descriptions: [ { lang: "en", value: "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-09T17:06:28", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/issues/872", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/1635514", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220909-0006/", }, ], source: { advisory: "GHSA-q768-x9m6-m9qp", discovery: "UNKNOWN", }, title: "Uncleared cookies on cross-host/cross-origin redirect in undici", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-31151", STATE: "PUBLIC", TITLE: "Uncleared cookies on cross-host/cross-origin redirect in undici", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "undici", version: { version_data: [ { version_value: "< 5.7.1", }, ], }, }, ], }, vendor_name: "nodejs", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", refsource: "CONFIRM", url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { name: "https://github.com/nodejs/undici/issues/872", refsource: "MISC", url: "https://github.com/nodejs/undici/issues/872", }, { name: "https://hackerone.com/reports/1635514", refsource: "MISC", url: "https://hackerone.com/reports/1635514", }, { name: "https://security.netapp.com/advisory/ntap-20220909-0006/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220909-0006/", }, ], }, source: { advisory: "GHSA-q768-x9m6-m9qp", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31151", datePublished: "2022-07-20T23:00:15", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:11:39.602Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-45143
Vulnerability from cvelistv5
Published
2023-10-12 16:35
Modified
2025-02-13 17:13
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:14:19.709Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", }, { name: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { name: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", }, { name: "https://hackerone.com/reports/2166948", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/2166948", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.26.2", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.26.2", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-45143", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-17T13:10:30.877905Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-17T13:17:57.774Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< 5.26.2", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-03T21:06:35.944Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", }, { name: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", }, { name: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", }, { name: "https://hackerone.com/reports/2166948", tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/2166948", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.26.2", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/releases/tag/v5.26.2", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", }, ], source: { advisory: "GHSA-wqq4-5wpv-mx2g", discovery: "UNKNOWN", }, title: "Undici's cookie header not cleared on cross-origin redirect in fetch", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-45143", datePublished: "2023-10-12T16:35:40.637Z", dateReserved: "2023-10-04T16:02:46.330Z", dateUpdated: "2025-02-13T17:13:50.221Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-32210
Vulnerability from cvelistv5
Published
2022-07-14 14:51
Modified
2024-08-03 07:32
Severity ?
EPSS score ?
Summary
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackerone.com/reports/1583680 | x_refsource_MISC | |
| https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/nodejs/undici |
Version: Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:32:56.020Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/1583680", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "https://github.com/nodejs/undici", vendor: "n/a", versions: [ { status: "affected", version: "Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0", }, ], }, ], descriptions: [ { lang: "en", value: "`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "Improper Certificate Validation (CWE-295)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-14T14:51:40", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/1583680", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2022-32210", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "https://github.com/nodejs/undici", version: { version_data: [ { version_value: "Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Certificate Validation (CWE-295)", }, ], }, ], }, references: { reference_data: [ { name: "https://hackerone.com/reports/1583680", refsource: "MISC", url: "https://hackerone.com/reports/1583680", }, { name: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", refsource: "MISC", url: "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2022-32210", datePublished: "2022-07-14T14:51:40", dateReserved: "2022-06-01T00:00:00", dateUpdated: "2024-08-03T07:32:56.020Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-22150
Vulnerability from cvelistv5
Published
2025-01-21 17:46
Modified
2025-02-12 20:41
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-22150", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-21T18:34:22.789606Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-12T20:41:22.041Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: ">= 4.5.0, < 5.28.5", }, { status: "affected", version: ">= 6.0.0, < 6.21.1", }, { status: "affected", version: ">= 7.0.0, < 7.2.3", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-330", description: "CWE-330: Use of Insufficiently Random Values", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-21T17:46:58.872Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975", }, { name: "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0", }, { name: "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a", }, { name: "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385", }, { name: "https://hackerone.com/reports/2913312", tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/2913312", }, { name: "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f", tags: [ "x_refsource_MISC", ], url: "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f", }, { name: "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113", }, ], source: { advisory: "GHSA-c76h-2ccp-4975", discovery: "UNKNOWN", }, title: "Undici Uses Insufficiently Random Values", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-22150", datePublished: "2025-01-21T17:46:58.872Z", dateReserved: "2024-12-30T03:00:33.654Z", dateUpdated: "2025-02-12T20:41:22.041Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24750
Vulnerability from cvelistv5
Published
2024-02-16 21:42
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
References
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:nodejs:undici:6.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "undici", vendor: "nodejs", versions: [ { lessThan: "6.6.1", status: "affected", version: "6.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-24750", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-21T19:30:24.448932Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-25T16:45:31.786Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.823Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", }, { name: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240419-0006/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: ">= 6.0.0, < 6.6.1", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-19T07:06:03.993Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", }, { name: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", }, { url: "https://security.netapp.com/advisory/ntap-20240419-0006/", }, ], source: { advisory: "GHSA-9f24-jqhm-jfcw", discovery: "UNKNOWN", }, title: "Backpressure request ignored in fetch() in Undici", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-24750", datePublished: "2024-02-16T21:42:29.999Z", dateReserved: "2024-01-29T20:51:26.009Z", dateUpdated: "2025-02-13T17:40:21.089Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24758
Vulnerability from cvelistv5
Published
2024-02-16 21:40
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-24758", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T16:56:27.356620Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:43:23.837Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.855Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", }, { name: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240419-0007/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/11/1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< 5.28.3", }, { status: "affected", version: ">= 6.0.0, < 6.6.1", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.9, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T18:12:33.401Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", }, { name: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", }, { url: "https://security.netapp.com/advisory/ntap-20240419-0007/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/11/1", }, ], source: { advisory: "GHSA-3787-6prv-h9w3", discovery: "UNKNOWN", }, title: "Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-24758", datePublished: "2024-02-16T21:40:37.716Z", dateReserved: "2024-01-29T20:51:26.010Z", dateUpdated: "2025-02-13T17:40:21.660Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-35949
Vulnerability from cvelistv5
Published
2022-08-12 00:00
Modified
2024-08-03 09:51
Severity ?
EPSS score ?
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:51:59.443Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", }, { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", }, { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "<= 5.8.1", }, ], }, ], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918: Server-Side Request Forgery (SSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-18T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", }, { url: "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", }, { url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, ], source: { advisory: "GHSA-8qr4-xgw6-wmr3", discovery: "UNKNOWN", }, title: "`undici.request` vulnerable to SSRF using absolute URL on `pathname`", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-35949", datePublished: "2022-08-12T00:00:00", dateReserved: "2022-07-15T00:00:00", dateUpdated: "2024-08-03T09:51:59.443Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-38372
Vulnerability from cvelistv5
Published
2024-07-08 20:25
Modified
2024-08-28 15:02
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq | x_refsource_CONFIRM | |
| https://github.com/nodejs/undici/issues/3328 | x_refsource_MISC | |
| https://github.com/nodejs/undici/issues/3337 | x_refsource_MISC | |
| https://github.com/nodejs/undici/pull/3338 | x_refsource_MISC | |
| https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36 | x_refsource_MISC |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:nodejs:undici:6.14.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "undici", vendor: "nodejs", versions: [ { lessThan: "6.19.2", status: "affected", version: "6.14.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-38372", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-11T20:29:36.252422Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-12T17:01:03.665Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-28T15:02:48.392Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq", }, { name: "https://github.com/nodejs/undici/issues/3328", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/issues/3328", }, { name: "https://github.com/nodejs/undici/issues/3337", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/issues/3337", }, { name: "https://github.com/nodejs/undici/pull/3338", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/pull/3338", }, { name: "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", }, { url: "https://security.netapp.com/advisory/ntap-20240828-0009/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: ">= 6.14.0, < 6.19.2", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-201", description: "CWE-201: Insertion of Sensitive Information Into Sent Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-08T20:25:59.111Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq", }, { name: "https://github.com/nodejs/undici/issues/3328", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/issues/3328", }, { name: "https://github.com/nodejs/undici/issues/3337", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/issues/3337", }, { name: "https://github.com/nodejs/undici/pull/3338", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/pull/3338", }, { name: "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", }, ], source: { advisory: "GHSA-3g92-w8c5-73pq", discovery: "UNKNOWN", }, title: "Undici vulnerable to data leak when using response.arrayBuffer()", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-38372", datePublished: "2024-07-08T20:25:59.111Z", dateReserved: "2024-06-14T14:16:16.466Z", dateUpdated: "2024-08-28T15:02:48.392Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-23936
Vulnerability from cvelistv5
Published
2023-02-16 17:30
Modified
2025-03-10 21:10
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff | x_refsource_CONFIRM | |
| https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 | x_refsource_MISC | |
| https://hackerone.com/reports/1820955 | x_refsource_MISC | |
| https://github.com/nodejs/undici/releases/tag/v5.19.1 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:49:07.624Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", }, { name: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", }, { name: "https://hackerone.com/reports/1820955", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/1820955", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.19.1", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23936", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-10T21:01:48.996014Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-10T21:10:26.495Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: ">=2.0.0, < 5.19.1", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-93", description: "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-16T17:30:23.968Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", }, { name: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", }, { name: "https://hackerone.com/reports/1820955", tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/1820955", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.19.1", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, ], source: { advisory: "GHSA-5r9g-qh6m-jxff", discovery: "UNKNOWN", }, title: "CRLF Injection in Nodejs ‘undici’ via host", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-23936", datePublished: "2023-02-16T17:30:23.968Z", dateReserved: "2023-01-19T21:12:31.361Z", dateUpdated: "2025-03-10T21:10:26.495Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-24807
Vulnerability from cvelistv5
Published
2023-02-16 17:30
Modified
2025-03-10 21:10
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w | x_refsource_CONFIRM | |
| https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf | x_refsource_MISC | |
| https://github.com/nodejs/undici/releases/tag/v5.19.1 | x_refsource_MISC | |
| https://hackerone.com/bugs?report_id=1784449 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:03:19.291Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20230324-0010/", }, { name: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", }, { name: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.19.1", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { name: "https://hackerone.com/bugs?report_id=1784449", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/bugs?report_id=1784449", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24807", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-10T20:58:28.706642Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-10T21:10:32.171Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< 5.19.1", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20: Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-16T17:30:19.923Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w", }, { name: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.19.1", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/releases/tag/v5.19.1", }, { name: "https://hackerone.com/bugs?report_id=1784449", tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/bugs?report_id=1784449", }, ], source: { advisory: "GHSA-r6ch-mqf9-qc9w", discovery: "UNKNOWN", }, title: "Undici vulnerable to Regular Expression Denial of Service in Headers", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-24807", datePublished: "2023-02-16T17:30:19.923Z", dateReserved: "2023-01-30T14:43:33.703Z", dateUpdated: "2025-03-10T21:10:32.171Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-30261
Vulnerability from cvelistv5
Published
2024-04-04 15:09
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T01:32:06.665Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", }, { name: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", }, { name: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", }, { name: "https://hackerone.com/reports/2377760", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/2377760", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "undici", vendor: "nodejs", versions: [ { lessThan: "6.11.1", status: "affected", version: "6.0.0", versionType: "custom", }, { lessThan: "5.28.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-30261", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-04T15:04:42.490317Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-04T15:06:10.584Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: ">= 6.0.0, < 6.11.1", }, { status: "affected", version: "< 5.28.4", }, ], }, ], descriptions: [ { lang: "en", value: "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.6, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284: Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-19T23:06:39.663Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", }, { name: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", }, { name: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", }, { name: "https://hackerone.com/reports/2377760", tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/2377760", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", }, ], source: { advisory: "GHSA-9qxr-qj54-h672", discovery: "UNKNOWN", }, title: "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-30261", datePublished: "2024-04-04T15:09:11.369Z", dateReserved: "2024-03-26T12:52:00.934Z", dateUpdated: "2025-02-13T17:47:48.137Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31150
Vulnerability from cvelistv5
Published
2022-07-19 20:40
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc | x_refsource_CONFIRM | |
| https://hackerone.com/reports/409943 | x_refsource_MISC | |
| https://github.com/nodejs/undici/releases/tag/v5.8.0 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220915-0002/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:11:39.394Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/409943", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.0", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220915-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "< v5.7.1, >= v5.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-93", description: "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-15T17:06:42", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/409943", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.0", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220915-0002/", }, ], source: { advisory: "GHSA-3cvr-822r-rqcc", discovery: "UNKNOWN", }, title: "CRLF injection in request headers", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-31150", STATE: "PUBLIC", TITLE: "CRLF injection in request headers", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "undici", version: { version_data: [ { version_value: "< v5.7.1, >= v5.8.0", }, ], }, }, ], }, vendor_name: "nodejs", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", refsource: "CONFIRM", url: "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", }, { name: "https://hackerone.com/reports/409943", refsource: "MISC", url: "https://hackerone.com/reports/409943", }, { name: "https://github.com/nodejs/undici/releases/tag/v5.8.0", refsource: "MISC", url: "https://github.com/nodejs/undici/releases/tag/v5.8.0", }, { name: "https://security.netapp.com/advisory/ntap-20220915-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220915-0002/", }, ], }, source: { advisory: "GHSA-3cvr-822r-rqcc", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31150", datePublished: "2022-07-19T20:40:10", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:11:39.394Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-35948
Vulnerability from cvelistv5
Published
2022-08-13 00:00
Modified
2024-08-03 09:51
Severity ?
EPSS score ?
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:51:59.082Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3", }, { tags: [ "x_transferred", ], url: "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undici", vendor: "nodejs", versions: [ { status: "affected", version: "=< 5.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-93", description: "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-74", description: "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-18T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/nodejs/undici/releases/tag/v5.8.2", }, { url: "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3", }, { url: "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80", }, ], source: { advisory: "GHSA-f772-66g8-q5h3", discovery: "UNKNOWN", }, title: "CRLF Injection in Nodejs ‘undici’ via Content-Type", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-35948", datePublished: "2022-08-13T00:00:00", dateReserved: "2022-07-15T00:00:00", dateUpdated: "2024-08-03T09:51:59.082Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }