CVE Vulnerability

CVE-2022-32210

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1583680 Exploit Issue Tracking
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Information

Published : 2022-07-14 03:15

Updated : 2022-07-25 06:29

NVD link : CVE-2022-32210

Mitre link : CVE-2022-32210

Products Affected
No products.
CWE
CWE-295

Improper Certificate Validation