Search criteria
30 vulnerabilities found for undici by nodejs
CVE-2025-47279 (GCVE-0-2025-47279)
Vulnerability from nvd – Published: 2025-05-15 17:16 – Updated: 2025-05-16 13:44
VLAI?
Title
undici Denial of Service attack via bad certificate data
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Severity ?
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47279",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T17:51:54.156281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:44:28.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.29.0"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.21.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T17:16:02.738Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"
},
{
"name": "https://github.com/nodejs/undici/issues/3895",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3895"
},
{
"name": "https://github.com/nodejs/undici/pull/4088",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/pull/4088"
}
],
"source": {
"advisory": "GHSA-cxrh-j4jr-qwg3",
"discovery": "UNKNOWN"
},
"title": "undici Denial of Service attack via bad certificate data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47279",
"datePublished": "2025-05-15T17:16:02.738Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-16T13:44:28.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22150 (GCVE-0-2025-22150)
Vulnerability from nvd – Published: 2025-01-21 17:46 – Updated: 2025-02-12 20:41
VLAI?
Title
Undici Uses Insufficiently Random Values
Summary
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Severity ?
6.8 (Medium)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T18:34:22.789606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 5.28.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.21.1"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T17:46:58.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975"
},
{
"name": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0"
},
{
"name": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a"
},
{
"name": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385"
},
{
"name": "https://hackerone.com/reports/2913312",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2913312"
},
{
"name": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f"
},
{
"name": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
}
],
"source": {
"advisory": "GHSA-c76h-2ccp-4975",
"discovery": "UNKNOWN"
},
"title": "Undici Uses Insufficiently Random Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22150",
"datePublished": "2025-01-21T17:46:58.872Z",
"dateReserved": "2024-12-30T03:00:33.654Z",
"dateUpdated": "2025-02-12T20:41:22.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38372 (GCVE-0-2024-38372)
Vulnerability from nvd – Published: 2024-07-08 20:25 – Updated: 2024-08-28 15:02
VLAI?
Title
Undici vulnerable to data leak when using response.arrayBuffer()
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:6.14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.19.2",
"status": "affected",
"version": "6.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T20:29:36.252422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:01:03.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-28T15:02:48.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"
},
{
"name": "https://github.com/nodejs/undici/issues/3328",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/3328"
},
{
"name": "https://github.com/nodejs/undici/issues/3337",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/3337"
},
{
"name": "https://github.com/nodejs/undici/pull/3338",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/pull/3338"
},
{
"name": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240828-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.14.0, \u003c 6.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:25:59.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"
},
{
"name": "https://github.com/nodejs/undici/issues/3328",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3328"
},
{
"name": "https://github.com/nodejs/undici/issues/3337",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3337"
},
{
"name": "https://github.com/nodejs/undici/pull/3338",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/pull/3338"
},
{
"name": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"
}
],
"source": {
"advisory": "GHSA-3g92-w8c5-73pq",
"discovery": "UNKNOWN"
},
"title": "Undici vulnerable to data leak when using response.arrayBuffer()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38372",
"datePublished": "2024-07-08T20:25:59.111Z",
"dateReserved": "2024-06-14T14:16:16.466Z",
"dateUpdated": "2024-08-28T15:02:48.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30260 (GCVE-0-2024-30260)
Vulnerability from nvd – Published: 2024-04-04 15:15 – Updated: 2025-11-04 16:11
VLAI?
Title
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T13:43:37.003793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:49.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:11:54.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
},
{
"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
},
{
"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.28.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:41.342Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
},
{
"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
},
{
"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
}
],
"source": {
"advisory": "GHSA-m4v8-wqvr-p9f7",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30260",
"datePublished": "2024-04-04T15:15:44.653Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2025-11-04T16:11:54.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-30261 (GCVE-0-2024-30261)
Vulnerability from nvd – Published: 2024-04-04 15:09 – Updated: 2025-11-04 16:11
VLAI?
Title
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:11:56.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"
},
{
"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"
},
{
"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"
},
{
"name": "https://hackerone.com/reports/2377760",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2377760"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0008/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.11.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "5.28.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30261",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T15:04:42.490317Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:06:10.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.11.1"
},
{
"status": "affected",
"version": "\u003c 5.28.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:39.663Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"
},
{
"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"
},
{
"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"
},
{
"name": "https://hackerone.com/reports/2377760",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2377760"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
}
],
"source": {
"advisory": "GHSA-9qxr-qj54-h672",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30261",
"datePublished": "2024-04-04T15:09:11.369Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2025-11-04T16:11:56.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24758 (GCVE-0-2024-24758)
Vulnerability from nvd – Published: 2024-02-16 21:40 – Updated: 2025-02-13 17:40
VLAI?
Title
Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:56:27.356620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:23.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"
},
{
"name": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0007/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.28.3"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:12:33.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"
},
{
"name": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0007/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
}
],
"source": {
"advisory": "GHSA-3787-6prv-h9w3",
"discovery": "UNKNOWN"
},
"title": "Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24758",
"datePublished": "2024-02-16T21:40:37.716Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-02-13T17:40:21.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24750 (GCVE-0-2024-24750)
Vulnerability from nvd – Published: 2024-02-16 21:42 – Updated: 2025-02-13 17:40
VLAI?
Title
Backpressure request ignored in fetch() in Undici
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:6.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.6.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:30:24.448932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:45:31.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"
},
{
"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T07:06:03.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"
},
{
"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"
}
],
"source": {
"advisory": "GHSA-9f24-jqhm-jfcw",
"discovery": "UNKNOWN"
},
"title": "Backpressure request ignored in fetch() in Undici"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24750",
"datePublished": "2024-02-16T21:42:29.999Z",
"dateReserved": "2024-01-29T20:51:26.009Z",
"dateUpdated": "2025-02-13T17:40:21.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45143 (GCVE-0-2023-45143)
Vulnerability from nvd – Published: 2023-10-12 16:35 – Updated: 2025-02-13 17:13
VLAI?
Title
Undici's cookie header not cleared on cross-origin redirect in fetch
Summary
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76"
},
{
"name": "https://hackerone.com/reports/2166948",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2166948"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.26.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.26.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T13:10:30.877905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T13:17:57.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici\u0027s implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T21:06:35.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76"
},
{
"name": "https://hackerone.com/reports/2166948",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2166948"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.26.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.26.2"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
}
],
"source": {
"advisory": "GHSA-wqq4-5wpv-mx2g",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s cookie header not cleared on cross-origin redirect in fetch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45143",
"datePublished": "2023-10-12T16:35:40.637Z",
"dateReserved": "2023-10-04T16:02:46.330Z",
"dateUpdated": "2025-02-13T17:13:50.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24807 (GCVE-0-2023-24807)
Vulnerability from nvd – Published: 2023-02-16 17:30 – Updated: 2025-03-10 21:10
VLAI?
Title
Undici vulnerable to Regular Expression Denial of Service in Headers
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230324-0010/"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w"
},
{
"name": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
},
{
"name": "https://hackerone.com/bugs?report_id=1784449",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/bugs?report_id=1784449"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:28.706642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:10:32.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-16T17:30:19.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w"
},
{
"name": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
},
{
"name": "https://hackerone.com/bugs?report_id=1784449",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/bugs?report_id=1784449"
}
],
"source": {
"advisory": "GHSA-r6ch-mqf9-qc9w",
"discovery": "UNKNOWN"
},
"title": "Undici vulnerable to Regular Expression Denial of Service in Headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-24807",
"datePublished": "2023-02-16T17:30:19.923Z",
"dateReserved": "2023-01-30T14:43:33.703Z",
"dateUpdated": "2025-03-10T21:10:32.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23936 (GCVE-0-2023-23936)
Vulnerability from nvd – Published: 2023-02-16 17:30 – Updated: 2025-03-10 21:10
VLAI?
Title
CRLF Injection in Nodejs ‘undici’ via host
Summary
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Severity ?
6.5 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:49:07.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"
},
{
"name": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"
},
{
"name": "https://hackerone.com/reports/1820955",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1820955"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:48.996014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:10:26.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e=2.0.0, \u003c 5.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-16T17:30:23.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"
},
{
"name": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"
},
{
"name": "https://hackerone.com/reports/1820955",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1820955"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
}
],
"source": {
"advisory": "GHSA-5r9g-qh6m-jxff",
"discovery": "UNKNOWN"
},
"title": "CRLF Injection in Nodejs \u2018undici\u2019 via host"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23936",
"datePublished": "2023-02-16T17:30:23.968Z",
"dateReserved": "2023-01-19T21:12:31.361Z",
"dateUpdated": "2025-03-10T21:10:26.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35948 (GCVE-0-2022-35948)
Vulnerability from nvd – Published: 2022-08-13 00:00 – Updated: 2025-04-22 17:42
VLAI?
Title
CRLF Injection in Nodejs ‘undici’ via Content-Type
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Severity ?
5.3 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:39:48.293625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:42:05.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "=\u003c 5.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`=\u003c undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from \u0027undici\u0027 const unsanitizedContentTypeInput = \u0027application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1\u0027 await request(\u0027http://localhost:3000, { method: \u0027GET\u0027, headers: { \u0027content-type\u0027: unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
},
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3"
},
{
"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80"
}
],
"source": {
"advisory": "GHSA-f772-66g8-q5h3",
"discovery": "UNKNOWN"
},
"title": "CRLF Injection in Nodejs \u2018undici\u2019 via Content-Type"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35948",
"datePublished": "2022-08-13T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:42:05.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35949 (GCVE-0-2022-35949)
Vulnerability from nvd – Published: 2022-08-12 00:00 – Updated: 2025-04-22 17:42
VLAI?
Title
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:39:52.001564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:42:40.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
},
{
"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
},
{
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
}
],
"source": {
"advisory": "GHSA-8qr4-xgw6-wmr3",
"discovery": "UNKNOWN"
},
"title": "`undici.request` vulnerable to SSRF using absolute URL on `pathname`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35949",
"datePublished": "2022-08-12T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:42:40.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31151 (GCVE-0-2022-31151)
Vulnerability from nvd – Published: 2022-07-20 23:00 – Updated: 2025-04-22 17:48
VLAI?
Title
Uncleared cookies on cross-host/cross-origin redirect in undici
Summary
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1635514"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:45:24.308162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:48:20.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T17:06:28.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1635514"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
],
"source": {
"advisory": "GHSA-q768-x9m6-m9qp",
"discovery": "UNKNOWN"
},
"title": "Uncleared cookies on cross-host/cross-origin redirect in undici",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31151",
"STATE": "PUBLIC",
"TITLE": "Uncleared cookies on cross-host/cross-origin redirect in undici"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undici",
"version": {
"version_data": [
{
"version_value": "\u003c 5.7.1"
}
]
}
}
]
},
"vendor_name": "nodejs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"refsource": "CONFIRM",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/issues/872",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"name": "https://hackerone.com/reports/1635514",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1635514"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220909-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
]
},
"source": {
"advisory": "GHSA-q768-x9m6-m9qp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31151",
"datePublished": "2022-07-20T23:00:15.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:48:20.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31150 (GCVE-0-2022-31150)
Vulnerability from nvd – Published: 2022-07-19 20:40 – Updated: 2025-04-22 17:48
VLAI?
Title
CRLF injection in request headers
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/409943"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:40:20.790408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:48:45.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c v5.7.1, \u003e= v5.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-15T17:06:42.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/409943"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
],
"source": {
"advisory": "GHSA-3cvr-822r-rqcc",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in request headers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31150",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in request headers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undici",
"version": {
"version_data": [
{
"version_value": "\u003c v5.7.1, \u003e= v5.8.0"
}
]
}
}
]
},
"vendor_name": "nodejs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc",
"refsource": "CONFIRM",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"name": "https://hackerone.com/reports/409943",
"refsource": "MISC",
"url": "https://hackerone.com/reports/409943"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.8.0",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220915-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
]
},
"source": {
"advisory": "GHSA-3cvr-822r-rqcc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31150",
"datePublished": "2022-07-19T20:40:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:48:45.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32210 (GCVE-0-2022-32210)
Vulnerability from nvd – Published: 2022-07-14 14:51 – Updated: 2024-08-03 07:32
VLAI?
Summary
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Severity ?
No CVSS data available.
CWE
- CWE-295 - Improper Certificate Validation (CWE-295)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/nodejs/undici |
Affected:
Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:32:56.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1583680"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/nodejs/undici",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in version \u003e= v5.5.1. Vulnerable between v4.8.2 and v5.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`Undici.ProxyAgent` never verifies the remote server\u0027s certificate, and always exposes all request \u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy\u0027s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "Improper Certificate Validation (CWE-295)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T14:51:40",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1583680"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2022-32210",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/undici",
"version": {
"version_data": [
{
"version_value": "Fixed in version \u003e= v5.5.1. Vulnerable between v4.8.2 and v5.5.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "`Undici.ProxyAgent` never verifies the remote server\u0027s certificate, and always exposes all request \u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy\u0027s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1583680",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1583680"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2022-32210",
"datePublished": "2022-07-14T14:51:40",
"dateReserved": "2022-06-01T00:00:00",
"dateUpdated": "2024-08-03T07:32:56.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47279 (GCVE-0-2025-47279)
Vulnerability from cvelistv5 – Published: 2025-05-15 17:16 – Updated: 2025-05-16 13:44
VLAI?
Title
undici Denial of Service attack via bad certificate data
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Severity ?
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47279",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T17:51:54.156281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:44:28.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.29.0"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.21.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T17:16:02.738Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"
},
{
"name": "https://github.com/nodejs/undici/issues/3895",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3895"
},
{
"name": "https://github.com/nodejs/undici/pull/4088",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/pull/4088"
}
],
"source": {
"advisory": "GHSA-cxrh-j4jr-qwg3",
"discovery": "UNKNOWN"
},
"title": "undici Denial of Service attack via bad certificate data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47279",
"datePublished": "2025-05-15T17:16:02.738Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-16T13:44:28.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22150 (GCVE-0-2025-22150)
Vulnerability from cvelistv5 – Published: 2025-01-21 17:46 – Updated: 2025-02-12 20:41
VLAI?
Title
Undici Uses Insufficiently Random Values
Summary
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Severity ?
6.8 (Medium)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T18:34:22.789606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:22.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 5.28.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.21.1"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T17:46:58.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975"
},
{
"name": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0"
},
{
"name": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a"
},
{
"name": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385"
},
{
"name": "https://hackerone.com/reports/2913312",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2913312"
},
{
"name": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f"
},
{
"name": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
}
],
"source": {
"advisory": "GHSA-c76h-2ccp-4975",
"discovery": "UNKNOWN"
},
"title": "Undici Uses Insufficiently Random Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22150",
"datePublished": "2025-01-21T17:46:58.872Z",
"dateReserved": "2024-12-30T03:00:33.654Z",
"dateUpdated": "2025-02-12T20:41:22.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38372 (GCVE-0-2024-38372)
Vulnerability from cvelistv5 – Published: 2024-07-08 20:25 – Updated: 2024-08-28 15:02
VLAI?
Title
Undici vulnerable to data leak when using response.arrayBuffer()
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:6.14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.19.2",
"status": "affected",
"version": "6.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T20:29:36.252422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:01:03.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-28T15:02:48.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"
},
{
"name": "https://github.com/nodejs/undici/issues/3328",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/3328"
},
{
"name": "https://github.com/nodejs/undici/issues/3337",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/3337"
},
{
"name": "https://github.com/nodejs/undici/pull/3338",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/pull/3338"
},
{
"name": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240828-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.14.0, \u003c 6.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:25:59.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"
},
{
"name": "https://github.com/nodejs/undici/issues/3328",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3328"
},
{
"name": "https://github.com/nodejs/undici/issues/3337",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/3337"
},
{
"name": "https://github.com/nodejs/undici/pull/3338",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/pull/3338"
},
{
"name": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"
}
],
"source": {
"advisory": "GHSA-3g92-w8c5-73pq",
"discovery": "UNKNOWN"
},
"title": "Undici vulnerable to data leak when using response.arrayBuffer()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38372",
"datePublished": "2024-07-08T20:25:59.111Z",
"dateReserved": "2024-06-14T14:16:16.466Z",
"dateUpdated": "2024-08-28T15:02:48.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30260 (GCVE-0-2024-30260)
Vulnerability from cvelistv5 – Published: 2024-04-04 15:15 – Updated: 2025-11-04 16:11
VLAI?
Title
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T13:43:37.003793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:49.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:11:54.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
},
{
"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
},
{
"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.28.4"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:41.342Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"
},
{
"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"
},
{
"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
}
],
"source": {
"advisory": "GHSA-m4v8-wqvr-p9f7",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30260",
"datePublished": "2024-04-04T15:15:44.653Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2025-11-04T16:11:54.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-30261 (GCVE-0-2024-30261)
Vulnerability from cvelistv5 – Published: 2024-04-04 15:09 – Updated: 2025-11-04 16:11
VLAI?
Title
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:11:56.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"
},
{
"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"
},
{
"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"
},
{
"name": "https://hackerone.com/reports/2377760",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2377760"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0008/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.11.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "5.28.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30261",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T15:04:42.490317Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:06:10.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.11.1"
},
{
"status": "affected",
"version": "\u003c 5.28.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:39.663Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"
},
{
"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"
},
{
"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"
},
{
"name": "https://hackerone.com/reports/2377760",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2377760"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"
}
],
"source": {
"advisory": "GHSA-9qxr-qj54-h672",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30261",
"datePublished": "2024-04-04T15:09:11.369Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2025-11-04T16:11:56.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24750 (GCVE-0-2024-24750)
Vulnerability from cvelistv5 – Published: 2024-02-16 21:42 – Updated: 2025-02-13 17:40
VLAI?
Title
Backpressure request ignored in fetch() in Undici
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:undici:6.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"lessThan": "6.6.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:30:24.448932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:45:31.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"
},
{
"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T07:06:03.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw"
},
{
"name": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0006/"
}
],
"source": {
"advisory": "GHSA-9f24-jqhm-jfcw",
"discovery": "UNKNOWN"
},
"title": "Backpressure request ignored in fetch() in Undici"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24750",
"datePublished": "2024-02-16T21:42:29.999Z",
"dateReserved": "2024-01-29T20:51:26.009Z",
"dateUpdated": "2025-02-13T17:40:21.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24758 (GCVE-0-2024-24758)
Vulnerability from cvelistv5 – Published: 2024-02-16 21:40 – Updated: 2025-02-13 17:40
VLAI?
Title
Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:56:27.356620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:23.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"
},
{
"name": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240419-0007/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.28.3"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:12:33.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"
},
{
"name": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240419-0007/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
}
],
"source": {
"advisory": "GHSA-3787-6prv-h9w3",
"discovery": "UNKNOWN"
},
"title": "Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24758",
"datePublished": "2024-02-16T21:40:37.716Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-02-13T17:40:21.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45143 (GCVE-0-2023-45143)
Vulnerability from cvelistv5 – Published: 2023-10-12 16:35 – Updated: 2025-02-13 17:13
VLAI?
Title
Undici's cookie header not cleared on cross-origin redirect in fetch
Summary
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76"
},
{
"name": "https://hackerone.com/reports/2166948",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2166948"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.26.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.26.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T13:10:30.877905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T13:17:57.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici\u0027s implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T21:06:35.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76"
},
{
"name": "https://hackerone.com/reports/2166948",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2166948"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.26.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.26.2"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
}
],
"source": {
"advisory": "GHSA-wqq4-5wpv-mx2g",
"discovery": "UNKNOWN"
},
"title": "Undici\u0027s cookie header not cleared on cross-origin redirect in fetch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45143",
"datePublished": "2023-10-12T16:35:40.637Z",
"dateReserved": "2023-10-04T16:02:46.330Z",
"dateUpdated": "2025-02-13T17:13:50.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23936 (GCVE-0-2023-23936)
Vulnerability from cvelistv5 – Published: 2023-02-16 17:30 – Updated: 2025-03-10 21:10
VLAI?
Title
CRLF Injection in Nodejs ‘undici’ via host
Summary
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Severity ?
6.5 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:49:07.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"
},
{
"name": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"
},
{
"name": "https://hackerone.com/reports/1820955",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1820955"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:48.996014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:10:26.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003e=2.0.0, \u003c 5.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-16T17:30:23.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"
},
{
"name": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"
},
{
"name": "https://hackerone.com/reports/1820955",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1820955"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
}
],
"source": {
"advisory": "GHSA-5r9g-qh6m-jxff",
"discovery": "UNKNOWN"
},
"title": "CRLF Injection in Nodejs \u2018undici\u2019 via host"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23936",
"datePublished": "2023-02-16T17:30:23.968Z",
"dateReserved": "2023-01-19T21:12:31.361Z",
"dateUpdated": "2025-03-10T21:10:26.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24807 (GCVE-0-2023-24807)
Vulnerability from cvelistv5 – Published: 2023-02-16 17:30 – Updated: 2025-03-10 21:10
VLAI?
Title
Undici vulnerable to Regular Expression Denial of Service in Headers
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230324-0010/"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w"
},
{
"name": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
},
{
"name": "https://hackerone.com/bugs?report_id=1784449",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/bugs?report_id=1784449"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:28.706642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:10:32.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-16T17:30:19.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w"
},
{
"name": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"
},
{
"name": "https://hackerone.com/bugs?report_id=1784449",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/bugs?report_id=1784449"
}
],
"source": {
"advisory": "GHSA-r6ch-mqf9-qc9w",
"discovery": "UNKNOWN"
},
"title": "Undici vulnerable to Regular Expression Denial of Service in Headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-24807",
"datePublished": "2023-02-16T17:30:19.923Z",
"dateReserved": "2023-01-30T14:43:33.703Z",
"dateUpdated": "2025-03-10T21:10:32.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35948 (GCVE-0-2022-35948)
Vulnerability from cvelistv5 – Published: 2022-08-13 00:00 – Updated: 2025-04-22 17:42
VLAI?
Title
CRLF Injection in Nodejs ‘undici’ via Content-Type
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Severity ?
5.3 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:39:48.293625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:42:05.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "=\u003c 5.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`=\u003c undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from \u0027undici\u0027 const unsanitizedContentTypeInput = \u0027application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1\u0027 await request(\u0027http://localhost:3000, { method: \u0027GET\u0027, headers: { \u0027content-type\u0027: unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
},
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3"
},
{
"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80"
}
],
"source": {
"advisory": "GHSA-f772-66g8-q5h3",
"discovery": "UNKNOWN"
},
"title": "CRLF Injection in Nodejs \u2018undici\u2019 via Content-Type"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35948",
"datePublished": "2022-08-13T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:42:05.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35949 (GCVE-0-2022-35949)
Vulnerability from cvelistv5 – Published: 2022-08-12 00:00 – Updated: 2025-04-22 17:42
VLAI?
Title
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:39:52.001564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:42:40.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3"
},
{
"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895"
},
{
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
}
],
"source": {
"advisory": "GHSA-8qr4-xgw6-wmr3",
"discovery": "UNKNOWN"
},
"title": "`undici.request` vulnerable to SSRF using absolute URL on `pathname`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35949",
"datePublished": "2022-08-12T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:42:40.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31151 (GCVE-0-2022-31151)
Vulnerability from cvelistv5 – Published: 2022-07-20 23:00 – Updated: 2025-04-22 17:48
VLAI?
Title
Uncleared cookies on cross-host/cross-origin redirect in undici
Summary
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1635514"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:45:24.308162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:48:20.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T17:06:28.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1635514"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
],
"source": {
"advisory": "GHSA-q768-x9m6-m9qp",
"discovery": "UNKNOWN"
},
"title": "Uncleared cookies on cross-host/cross-origin redirect in undici",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31151",
"STATE": "PUBLIC",
"TITLE": "Uncleared cookies on cross-host/cross-origin redirect in undici"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undici",
"version": {
"version_data": [
{
"version_value": "\u003c 5.7.1"
}
]
}
}
]
},
"vendor_name": "nodejs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"refsource": "CONFIRM",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"name": "https://github.com/nodejs/undici/issues/872",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"name": "https://hackerone.com/reports/1635514",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1635514"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220909-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220909-0006/"
}
]
},
"source": {
"advisory": "GHSA-q768-x9m6-m9qp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31151",
"datePublished": "2022-07-20T23:00:15.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:48:20.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31150 (GCVE-0-2022-31150)
Vulnerability from cvelistv5 – Published: 2022-07-19 20:40 – Updated: 2025-04-22 17:48
VLAI?
Title
CRLF injection in request headers
Summary
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/409943"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:40:20.790408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:48:45.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c v5.7.1, \u003e= v5.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-15T17:06:42.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/409943"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
],
"source": {
"advisory": "GHSA-3cvr-822r-rqcc",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in request headers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31150",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in request headers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undici",
"version": {
"version_data": [
{
"version_value": "\u003c v5.7.1, \u003e= v5.8.0"
}
]
}
}
]
},
"vendor_name": "nodejs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc",
"refsource": "CONFIRM",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"name": "https://hackerone.com/reports/409943",
"refsource": "MISC",
"url": "https://hackerone.com/reports/409943"
},
{
"name": "https://github.com/nodejs/undici/releases/tag/v5.8.0",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220915-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220915-0002/"
}
]
},
"source": {
"advisory": "GHSA-3cvr-822r-rqcc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31150",
"datePublished": "2022-07-19T20:40:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:48:45.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32210 (GCVE-0-2022-32210)
Vulnerability from cvelistv5 – Published: 2022-07-14 14:51 – Updated: 2024-08-03 07:32
VLAI?
Summary
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Severity ?
No CVSS data available.
CWE
- CWE-295 - Improper Certificate Validation (CWE-295)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/nodejs/undici |
Affected:
Fixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:32:56.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1583680"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/nodejs/undici",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in version \u003e= v5.5.1. Vulnerable between v4.8.2 and v5.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`Undici.ProxyAgent` never verifies the remote server\u0027s certificate, and always exposes all request \u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy\u0027s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "Improper Certificate Validation (CWE-295)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T14:51:40",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1583680"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2022-32210",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/nodejs/undici",
"version": {
"version_data": [
{
"version_value": "Fixed in version \u003e= v5.5.1. Vulnerable between v4.8.2 and v5.5.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "`Undici.ProxyAgent` never verifies the remote server\u0027s certificate, and always exposes all request \u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy\u0027s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation (CWE-295)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1583680",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1583680"
},
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33",
"refsource": "MISC",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2022-32210",
"datePublished": "2022-07-14T14:51:40",
"dateReserved": "2022-06-01T00:00:00",
"dateUpdated": "2024-08-03T07:32:56.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}