Skip to content

chore(deps): update dependency undici to v5 [security]#144

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-undici-vulnerability
Open

chore(deps): update dependency undici to v5 [security]#144
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-undici-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Jun 18, 2022
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) ^4.12.1^5.0.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

ProxyAgent vulnerable to MITM

CVE-2022-32210 / GHSA-pgw7-wx7w-2w33

More information

Details

Description

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Impact

This affects all use of HTTPS via HTTP proxy using Undici.ProxyAgent with Undici or Node's global fetch. In this case, it removes all HTTPS security from all requests sent using Undici's ProxyAgent, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).
This less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy).

Patches

This issue was patched in Undici v5.5.1.

Workarounds

At the time of writing, the only workaround is to not use ProxyAgent as a dispatcher for TLS Connections.

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

undici before v5.8.0 vulnerable to CRLF injection in request headers

CVE-2022-31150 / GHSA-3cvr-822r-rqcc

More information

Details

Impact

It is possible to inject CRLF sequences into request headers in Undici.

const undici = require('undici')

const response = undici.request("http://127.0.0.1:1000", {
  headers: {'a': "\r\nb"}
})

The same applies to path and method

Patches

Update to v5.8.0

Workarounds

Sanitize all HTTP headers from untrusted sources to eliminate \r\n.

References

https://hackerone.com/reports/409943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect

CVE-2022-31151 / GHSA-q768-x9m6-m9qp

More information

Details

Impact

Authorization headers are already cleared on cross-origin redirect in
https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.

However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in v5.8.0.

Workarounds

By default, this vulnerability is not exploitable.
Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

https://hackerone.com/reports/1635514
https://curl.se/docs/CVE-2018-1000007.html
https://curl.se/docs/CVE-2022-27776.html

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

undici.request vulnerable to SSRF using absolute URL on pathname

CVE-2022-35949 / GHSA-8qr4-xgw6-wmr3

More information

Details

Impact

undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request.

If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1

const undici = require("undici")
undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})

Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1.

If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.

Patches

This issue was fixed in undici@5.8.1.

Workarounds

The best workaround is to validate user input before passing it to the undici.request call.

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

CVE-2022-35948 / GHSA-f772-66g8-q5h3

More information

Details

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

  1. http://localhost:3000/
  2. http://localhost:3000/foo2
Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

CRLF Injection in Nodejs ‘undici’ via host

CVE-2023-23936 / GHSA-5r9g-qh6m-jxff

More information

Details

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Regular Expression Denial of Service in Headers

CVE-2023-24807 / GHSA-r6ch-mqf9-qc9w

More information

Details

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References
Credits

Carter Snook reported this vulnerability.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici's cookie header not cleared on cross-origin redirect in fetch

CVE-2023-45143 / GHSA-wqq4-5wpv-mx2g

More information

Details

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Severity

  • CVSS Score: 3.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

CVE-2024-24758 / GHSA-3787-6prv-h9w3

More information

Details

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Severity

  • CVSS Score: 3.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

CVE-2024-30260 / GHSA-m4v8-wqvr-p9f7

More information

Details

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Severity

  • CVSS Score: 3.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

CVE-2024-30261 / GHSA-9qxr-qj54-h672

More information

Details

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

nodejs/undici (undici)

v5.28.4

Compare Source

⚠️ Security Release ⚠️

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Fixes:

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] chore(deps): update dependency undici to v5 [security] - autoclosed Dec 8, 2024
@renovate renovate Bot closed this Dec 8, 2024
@renovate renovate Bot deleted the renovate/npm-undici-vulnerability branch December 8, 2024 18:35
@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] - autoclosed chore(deps): update dependency undici to v5 [security] Dec 8, 2024
@renovate renovate Bot reopened this Dec 8, 2024
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 8d3a4d8 to d442404 Compare December 8, 2024 22:59
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from d442404 to a2eb75f Compare August 10, 2025 14:45
@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] chore(deps): update dependency undici to v5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] - autoclosed chore(deps): update dependency undici to v5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from a2eb75f to a400da4 Compare March 30, 2026 18:10
@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] chore(deps): update dependency undici to v5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to v5 [security] - autoclosed chore(deps): update dependency undici to v5 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from a400da4 to fa044c7 Compare April 27, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants