Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 865627 (CVE-2022-35948, CVE-2022-35949) - <net-libs/nodejs-{16.18.0,18.9.0}: multiple vulnerabilities via bundled undici
Summary: <net-libs/nodejs-{16.18.0,18.9.0}: multiple vulnerabilities via bundled undici
Status: IN_PROGRESS
Alias: CVE-2022-35948, CVE-2022-35949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on: 880795
Blocks:
  Show dependency tree
 
Reported: 2022-08-17 23:40 UTC by John Helmert III
Modified: 2023-12-24 10:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 23:40:58 UTC
CVE-2022-35948 (https://github.com/nodejs/undici/releases/tag/v5.8.2):
https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3
https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

CVE-2022-35949 (https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3):
https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
https://github.com/nodejs/undici/releases/tag/v5.8.2

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

nodejs-16.17.0 was released yesterday with a bump to undici-5.8.0. The
upstream advisories for these claim both that >=undici-5.8.1 is
vulnerable and that 5.8.1 fixes them. In reality, both patches are in
5.8.2. I'm not sure there's anything we should do here except wait for
new nodejs releases.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-18 16:24:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2d494d079a1fe48fa2624fb5782343f2f2eecb4

commit e2d494d079a1fe48fa2624fb5782343f2f2eecb4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-08-18 16:22:28 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-08-18 16:24:07 +0000

    net-libs/nodejs: add 16.17.0
    
    Bug: https://bugs.gentoo.org/865627
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-16.17.0.ebuild | 225 ++++++++++++++++++++++++++++++++++
 2 files changed, 226 insertions(+)
Comment 2 William Hubbs gentoo-dev 2022-08-18 16:28:36 UTC
I will wait for the 14.x and 18.x releases before I stabilize anything.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 17:34:08 UTC
Does 16.17.0 bump undici to a fixed version?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-04 19:18:49 UTC
It does not.

# grep version deps/undici/src/package.json
  "version": "5.8.0",

Going to go hunting in nodejs git.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-04 19:38:35 UTC
Looks like undici was introduced in this PR, which was never backported to 14.x: https://github.com/nodejs/undici/pull/1183

So we need to stabilize a newer version, ideally along with fixed versions for 879617.