Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-32210

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Published

2022-07-14T15:15:08.183

Last Modified

2024-11-21T07:05:55.847

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-295
Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	undici	< 5.5.1	Yes

References

https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 Exploit, Third Party Advisory ([email protected])
https://hackerone.com/reports/1583680 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1583680 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)