Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 865627 (CVE-2022-35948, CVE-2022-35949)

Summary: <net-libs/nodejs-{16.18.0,18.9.0}: multiple vulnerabilities via bundled undici
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 880795    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 23:40:58 UTC 
CVE-2022-35948 (https://github.com/nodejs/undici/releases/tag/v5.8.2):
https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3
https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

CVE-2022-35949 (https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3):
https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
https://github.com/nodejs/undici/releases/tag/v5.8.2

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

nodejs-16.17.0 was released yesterday with a bump to undici-5.8.0. The
upstream advisories for these claim both that >=undici-5.8.1 is
vulnerable and that 5.8.1 fixes them. In reality, both patches are in
5.8.2. I'm not sure there's anything we should do here except wait for
new nodejs releases.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-18 16:24:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2d494d079a1fe48fa2624fb5782343f2f2eecb4

commit e2d494d079a1fe48fa2624fb5782343f2f2eecb4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-08-18 16:22:28 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-08-18 16:24:07 +0000

    net-libs/nodejs: add 16.17.0
    
    Bug: https://bugs.gentoo.org/865627
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-16.17.0.ebuild | 225 ++++++++++++++++++++++++++++++++++
 2 files changed, 226 insertions(+)
Comment 2 William Hubbs gentoo-dev 2022-08-18 16:28:36 UTC 
I will wait for the 14.x and 18.x releases before I stabilize anything.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 17:34:08 UTC 
Does 16.17.0 bump undici to a fixed version?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-04 19:18:49 UTC 
It does not.

# grep version deps/undici/src/package.json
  "version": "5.8.0",

Going to go hunting in nodejs git.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-04 19:38:35 UTC 
Looks like undici was introduced in this PR, which was never backported to 14.x: https://github.com/nodejs/undici/pull/1183

So we need to stabilize a newer version, ideally along with fixed versions for 879617.
Comment 7 Larry the Git Cow gentoo-dev 2024-05-08 11:16:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1

commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-08 11:16:15 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-08 11:16:37 +0000

    [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/772422
    Bug: https://bugs.gentoo.org/781704
    Bug: https://bugs.gentoo.org/800986
    Bug: https://bugs.gentoo.org/805053
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/811273
    Bug: https://bugs.gentoo.org/817938
    Bug: https://bugs.gentoo.org/831037
    Bug: https://bugs.gentoo.org/835615
    Bug: https://bugs.gentoo.org/857111
    Bug: https://bugs.gentoo.org/865627
    Bug: https://bugs.gentoo.org/872692
    Bug: https://bugs.gentoo.org/879617
    Bug: https://bugs.gentoo.org/918086
    Bug: https://bugs.gentoo.org/918614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)