CVE-2022-35949
Vulnerability from cvelistv5
Published
2022-08-12 00:00
Modified
2024-08-03 09:51
Summary
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Impacted products
nodejsundici
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:51:59.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undici",
          "vendor": "nodejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 5.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-18T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
        },
        {
          "url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
        },
        {
          "url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
        }
      ],
      "source": {
        "advisory": "GHSA-8qr4-xgw6-wmr3",
        "discovery": "UNKNOWN"
      },
      "title": "`undici.request` vulnerable to SSRF using absolute URL on `pathname`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-35949",
    "datePublished": "2022-08-12T00:00:00",
    "dateReserved": "2022-07-15T00:00:00",
    "dateUpdated": "2024-08-03T09:51:59.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-35949\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-08-12T23:15:07.970\",\"lastModified\":\"2023-03-28T17:10:18.800\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\\\"undici\\\") undici.request({origin: \\\"http://example.com\\\", pathname: \\\"//127.0.0.1\\\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.\"},{\"lang\":\"es\",\"value\":\"undici es un cliente HTTP/1.1, escrito desde cero para Node.js.\\\"undici\\\" es vulnerable a un ataque de tipo SSRF (Server-side Request Forgery) cuando una aplicaci\u00f3n toma la **user input** en la opci\u00f3n \\\"path/pathname\\\" de \\\"undici.request\\\". Si un usuario especifica una URL como \\\"http://127.0.0.1\\\" o \\\"//127.0.0.1\\\" \\\"\\\"js const undici = require(\\\"undici\\\") undici.request({origin: \\\"http://example.com\\\", pathname: \\\"//127.0.0.1\\\"}) \\\"\\\"\\\" En lugar de procesar la petici\u00f3n como \\\"http://example.org//127.0.0.1\\\" (o \\\"http://example.org/http://127.0.0.1\\\" cuando es usada \\\"http://127.0.0.1\\\"), en realidad procesa la petici\u00f3n como \\\"http://127.0.0.1/\\\" y la env\u00eda a \\\"http://127.0.0.1\\\". Si un desarrollador pasa la entrada del usuario en el par\u00e1metro \\\"path\\\" de \\\"undici.request\\\", puede resultar en un _SSRF_ ya que asumir\u00e1 que el nombre del host no puede cambiar, cuando en realidad puede cambiar porque el par\u00e1metro path especificado es combinado con la URL base. Este problema ha sido corregido en \\\"undici@5.8.1\\\". La mejor mitigaci\u00f3n es comprender la entrada del usuario antes de pasarla a la llamada \\\"undici.request\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"5.8.1\",\"matchCriteriaId\":\"CB5541CA-AC2D-4CFD-82A9-CF1FFEEFBB08\"}]}]}],\"references\":[{\"url\":\"https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nodejs/undici/releases/tag/v5.8.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.