`undici.request` vulnerable to SSRF using absolute URL on `pathname`

Severity:: Medium

Description

undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request.

If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1

Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as `http://127.0.0.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.8.1
Patched version(s): 5.8.2

References

GHSA-8qr4-xgw6-wmr3
CVE-2022-35949
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
undici before v5.8.0 vulnerable to CRLF injection in request headers - CVE-2022-31150

Tags:: npm; undici

Anything's wrong? Let us know Last updated on February 03, 2023