CVE-2022-32210
Last modified
CVE-2022-32210 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.. EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Undici | >= 4.8.2, < 5.5.1 |
References
- https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33Exploit, Third Party Advisory
- https://hackerone.com/reports/1583680Exploit, Issue Tracking, Third Party Advisory
- https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33Exploit, Third Party Advisory
- https://hackerone.com/reports/1583680Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-32210?
How severe is CVE-2022-32210?
How do I fix CVE-2022-32210?
Are you affected by CVE-2022-32210?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST