Description

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

Remediation

References

https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895

https://github.com/nodejs/undici/releases/tag/v5.8.2

https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3

Related Vulnerabilities

CVE-2021-3461 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2018-20677 Vulnerability in maven package org.fujion.webjars:bootstrap

CVE-2022-43434 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2021-25916 Vulnerability in npm package patchmerge

CVE-2021-32621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-dashboard-macro

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Release Notes Exploit Mitigation NVD-CWE-noinfo