CVE-2022-35949

描述

### Impact `undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. ### Patches This issue was fixed in `[email protected]`. ### Workarounds The best workaround is to validate user input before passing it to the `undici.request` call. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document

受影響套件(2)

• Debian/node-undicifrom 0, < 5.8.2+dfsg1+~cs18.9.18.1-1
• npm/undicifrom 0, < 5.8.2

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-35949
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-35949
• PATCHhttps://github.com/nodejs/undici
• WEBhttps://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
• WEBhttps://github.com/nodejs/undici/releases/tag/v5.8.2
• WEBhttps://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3