Bugzilla – Bug 1202382
VUL-0: CVE-2022-35949: nodejs16: undici - SSRF when an application takes in user input into the path/pathname option of undici.request
Last modified: 2024-04-19 11:36:34 UTC
CVE-2022-35949 undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35949 https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949 https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 https://github.com/nodejs/undici/releases/tag/v5.8.2
tracking as affected: - SUSE:SLE-12-SP5:Update/nodejs16 - SUSE:SLE-15-SP3:Update/nodejs16 - SUSE:SLE-15-SP4:Update/nodejs16
This is an autogenerated message for OBS integration: This bug (1202382) was mentioned in https://build.opensuse.org/request/show/999257 Factory / nodejs16
SUSE-SU-2022:3196-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1200303,1200517,1201710,1202382,1202383 CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs16-16.17.0-8.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3250-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1200303,1200517,1201710,1202382,1202383 CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src): nodejs16-16.17.0-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3251-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1200303,1200517,1201710,1202382,1202383 CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs16-16.17.0-150300.7.9.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs16-16.17.0-150300.7.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done