Open renovate[bot] opened 3 months ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
graphql-ez | ❌ Failed (Inspect) | Aug 6, 2024 6:46am |
Latest commit: fe33a36a5d591aaf399a8ca67fc0b77f3c853d7a
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
This PR contains the following updates:
5.28.2
->5.28.4
GitHub Vulnerability Alerts
CVE-2022-32210
Description
Undici.ProxyAgent
never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.Impact
This affects all use of HTTPS via HTTP proxy using
Undici.ProxyAgent
with Undici or Node's globalfetch
. In this case, it removes all HTTPS security from all requests sent using Undici'sProxyAgent
, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc). This less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy).Patches
This issue was patched in Undici v5.5.1.
Workarounds
At the time of writing, the only workaround is to not use
ProxyAgent
as a dispatcher for TLS Connections.CVE-2022-31150
Impact
It is possible to inject CRLF sequences into request headers in Undici.
The same applies to
path
andmethod
Patches
Update to v5.8.0
Workarounds
Sanitize all HTTP headers from untrusted sources to eliminate
\r\n
.References
https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
For more information
If you have any questions or comments about this advisory:
CVE-2022-31151
Impact
Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.
However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in v5.8.0.
Workarounds
By default, this vulnerability is not exploitable. Do not enable redirections, i.e.
maxRedirections: 0
(the default).References
https://hackerone.com/reports/1635514 https://curl.se/docs/CVE-2018-1000007.html https://curl.se/docs/CVE-2022-27776.html
For more information
If you have any questions or comments about this advisory:
CVE-2022-35949
Impact
undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into thepath/pathname
option ofundici.request
.If a user specifies a URL such as
http://127.0.0.1
or//127.0.0.1
Instead of processing the request as
http://example.org//127.0.0.1
(orhttp://example.org/http://127.0.0.1
whenhttp://127.0.0.1 is used
), it actually processes the request ashttp://127.0.0.1/
and sends it tohttp://127.0.0.1
.If a developer passes in user input into
path
parameter ofundici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.Patches
This issue was fixed in
undici@5.8.1
.Workarounds
The best workaround is to validate user input before passing it to the
undici.request
call.For more information
If you have any questions or comments about this advisory:
CVE-2022-35948
Impact
=< undici@5.8.0
users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside thecontent-type
header.Example:
The above snippet will perform two requests in a single
request
API call:1)
http://localhost:3000/
2)http://localhost:3000/foo2
Patches
This issue was patched in Undici v5.8.1
Workarounds
Sanitize input when sending content-type headers using user input.
For more information
If you have any questions or comments about this advisory:
CVE-2023-23936
Impact
undici library does not protect
host
HTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.host
string before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
CVE-2023-24807
Impact
The
Headers.set()
andHeaders.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()
utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
CVE-2024-24758
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorization
headers.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
Release Notes
nodejs/undici (undici)
### [`v5.28.4`](https://redirect.github.com/nodejs/undici/releases/tag/v5.28.4) [Compare Source](https://redirect.github.com/nodejs/undici/compare/v5.28.3...v5.28.4) #### :warning: Security Release :warning: - Fixes https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 CVE-2024-30260 - Fixes https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 CVE-2024-30261 **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4 ### [`v5.28.3`](https://redirect.github.com/nodejs/undici/releases/tag/v5.28.3) [Compare Source](https://redirect.github.com/nodejs/undici/compare/v5.28.2...v5.28.3) #### ⚠️ Security Release ⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.