CVE-2026-9697
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
描述
## Impact undici's `ProxyAgent` silently drops the `requestTls` option when configured with a SOCKS5 proxy URI (`socks5://` or `socks://`). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured `ca`, `cert`, `key`, `rejectUnauthorized`, and `servername` settings. Applications that pin to an internal or corporate CA via `requestTls.ca` will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's `ProxyAgent` (or `Socks5ProxyAgent` directly) with SOCKS5 AND rely on `requestTls` for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. ## Patches Upgrade to undici v7.28.0 or v8.5.0. ## Workarounds No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy `ProxyAgent` instead, where `requestTls` is honored correctly.
如何修補 CVE-2026-9697
要修補 CVE-2026-9697,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 7.28.0 或更新版本
CVE-2026-9697 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-9697 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(2)
- from 0
- >= 7.23.0, < 7.28.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| nvd | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |