CVE-2022-35949: SSRF
First published: Tue Aug 09 2022(Updated: )
A Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location when they use the 'path/pathname' option in 'undici.request'.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nodejs Undici | <=5.8.1 |
Remedy
Validate user input before passing it to the `undici.request` call.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
- https://github.com/nodejs/undici/releases/tag/v5.8.2
- https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
- http://127.0.0.1
- http://example.org//127.0.0.1
- http://example.org/http://127.0.0.1
- http://127.0.0.1/
- https://access.redhat.com/errata/RHSA-2022:7276
- https://access.redhat.com/security/cve/cve-2022-35949
- https://bugzilla.redhat.com/show_bug.cgi?id=2121068
- https://www.cve.org/CVERecord?id=CVE-2022-35949 https://nvd.nist.gov/vuln/detail/CVE-2022-35949 https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
Frequently Asked Questions
What is CVE-2022-35949?
CVE-2022-35949 is a Server-Side Request Forgery (SSRF) vulnerability found in undici, an HTTP/1.1 client for Node.js.
How does CVE-2022-35949 affect undici?
CVE-2022-35949 affects undici when an application takes user input into the 'path/pathname' option of undici.request, allowing SSRF.
What is the severity of CVE-2022-35949?
The severity of CVE-2022-35949 is medium with a CVSS score of 5.3.
Which versions of undici are affected by CVE-2022-35949?
undici version up to and excluding 5.8.2 are affected by CVE-2022-35949.
How do I fix CVE-2022-35949?
To fix CVE-2022-35949, upgrade your undici package to version 5.8.2 or later.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-35949
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/nodejs
- canonical/nodejs undici
- version/nodejs undici/5.8.1
- package-manager/redhat