CVE-2022-35948 (https://github.com/nodejs/undici/releases/tag/v5.8.2): https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. CVE-2022-35949 (https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3): https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 https://github.com/nodejs/undici/releases/tag/v5.8.2 undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call. nodejs-16.17.0 was released yesterday with a bump to undici-5.8.0. The upstream advisories for these claim both that >=undici-5.8.1 is vulnerable and that 5.8.1 fixes them. In reality, both patches are in 5.8.2. I'm not sure there's anything we should do here except wait for new nodejs releases.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2d494d079a1fe48fa2624fb5782343f2f2eecb4 commit e2d494d079a1fe48fa2624fb5782343f2f2eecb4 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-08-18 16:22:28 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-08-18 16:24:07 +0000 net-libs/nodejs: add 16.17.0 Bug: https://bugs.gentoo.org/865627 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-16.17.0.ebuild | 225 ++++++++++++++++++++++++++++++++++ 2 files changed, 226 insertions(+)
I will wait for the 14.x and 18.x releases before I stabilize anything.
Does 16.17.0 bump undici to a fixed version?
It does not. # grep version deps/undici/src/package.json "version": "5.8.0", Going to go hunting in nodejs git.
Patches made it to 16.18.0, 18.9.0: https://github.com/nodejs/node/commit/0484122f71fdfb63fe3828ffd094ea7d35b675a9 https://github.com/nodejs/node/commit/818271c1c3b28464e10e8d87ddcb673b8bcb3e29 Unsure about 14.x
Looks like undici was introduced in this PR, which was never backported to 14.x: https://github.com/nodejs/undici/pull/1183 So we need to stabilize a newer version, ideally along with fixed versions for 879617.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1 commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-08 11:16:15 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-08 11:16:37 +0000 [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/772422 Bug: https://bugs.gentoo.org/781704 Bug: https://bugs.gentoo.org/800986 Bug: https://bugs.gentoo.org/805053 Bug: https://bugs.gentoo.org/807775 Bug: https://bugs.gentoo.org/811273 Bug: https://bugs.gentoo.org/817938 Bug: https://bugs.gentoo.org/831037 Bug: https://bugs.gentoo.org/835615 Bug: https://bugs.gentoo.org/857111 Bug: https://bugs.gentoo.org/865627 Bug: https://bugs.gentoo.org/872692 Bug: https://bugs.gentoo.org/879617 Bug: https://bugs.gentoo.org/918086 Bug: https://bugs.gentoo.org/918614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+)
