`undici.request` vulnerable to SSRF using absolute URL on `pathname`

Severity:: Medium

Description

undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request.

If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1

Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as `http://127.0.0.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.8.1
Patched version(s): 5.8.2

References

GHSA-8qr4-xgw6-wmr3
CVE-2022-35949
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

undici before v5.8.0 vulnerable to CRLF injection in request headers - CVE-2022-31150
Undici's cookie header not cleared on cross-origin redirect in fetch - CVE-2023-45143
bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function - CVE-2025-3194
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260

Tags:: npm; undici

Anything's wrong? Let us know Last updated on February 03, 2023