-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency undici to v5.28.4 [security] - autoclosed #522
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
10 times, most recently
from
March 22, 2023 23:10
c3ba3b5
to
3a943cf
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
11 times, most recently
from
March 30, 2023 22:19
74ea084
to
646cf5c
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
March 31, 2023 03:25
646cf5c
to
2969bbd
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
3 times, most recently
from
April 17, 2023 21:04
13bbf9f
to
612efb7
Compare
renovate
bot
changed the title
chore(deps): update dependency undici to v5.8.2 [security]
chore(deps): update dependency undici to v5.8.2 [security] - autoclosed
Apr 26, 2023
renovate
bot
changed the title
chore(deps): update dependency undici to v5.8.2 [security] - autoclosed
chore(deps): update dependency undici to v5.8.2 [security]
Apr 26, 2023
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
5 times, most recently
from
September 27, 2024 19:32
e6369e6
to
fa51dc3
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
4 times, most recently
from
October 9, 2024 04:08
a6f81e6
to
7d9e3c7
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
6 times, most recently
from
October 23, 2024 20:22
bf54409
to
35b4676
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
8 times, most recently
from
October 31, 2024 23:23
63c34aa
to
036f231
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
November 3, 2024 07:15
036f231
to
20be6f8
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
November 5, 2024 04:26
20be6f8
to
7a940ab
Compare
|
renovate
bot
changed the title
chore(deps): update dependency undici to v5.28.4 [security]
chore(deps): update dependency undici to v5.28.4 [security] - autoclosed
Dec 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.5.1
->5.28.4
GitHub Vulnerability Alerts
CVE-2022-31151
Impact
Authorization headers are already cleared on cross-origin redirect in
https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.
However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in v5.8.0.
Workarounds
By default, this vulnerability is not exploitable.
Do not enable redirections, i.e.
maxRedirections: 0
(the default).References
https://hackerone.com/reports/1635514
https://curl.se/docs/CVE-2018-1000007.html
https://curl.se/docs/CVE-2022-27776.html
For more information
If you have any questions or comments about this advisory:
CVE-2022-31150
Impact
It is possible to inject CRLF sequences into request headers in Undici.
The same applies to
path
andmethod
Patches
Update to v5.8.0
Workarounds
Sanitize all HTTP headers from untrusted sources to eliminate
\r\n
.References
https://hackerone.com/reports/409943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
For more information
If you have any questions or comments about this advisory:
CVE-2022-35949
Impact
undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into thepath/pathname
option ofundici.request
.If a user specifies a URL such as
http://127.0.0.1
or//127.0.0.1
Instead of processing the request as
http://example.org//127.0.0.1
(orhttp://example.org/http://127.0.0.1
whenhttp://127.0.0.1 is used
), it actually processes the request ashttp://127.0.0.1/
and sends it tohttp://127.0.0.1
.If a developer passes in user input into
path
parameter ofundici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.Patches
This issue was fixed in
undici@5.8.1
.Workarounds
The best workaround is to validate user input before passing it to the
undici.request
call.For more information
If you have any questions or comments about this advisory:
CVE-2022-35948
Impact
=< undici@5.8.0
users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside thecontent-type
header.Example:
The above snippet will perform two requests in a single
request
API call:http://localhost:3000/
http://localhost:3000/foo2
Patches
This issue was patched in Undici v5.8.1
Workarounds
Sanitize input when sending content-type headers using user input.
For more information
If you have any questions or comments about this advisory:
CVE-2023-23936
Impact
undici library does not protect
host
HTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.host
string before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
CVE-2023-24807
Impact
The
Headers.set()
andHeaders.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()
utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
CVE-2024-24758
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorization
headers.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
Release Notes
nodejs/undici (undici)
v5.28.4
Compare Source
Full Changelog: nodejs/undici@v5.28.3...v5.28.4
v5.28.3
Compare Source
Details on the vulnerabilities fixed will be shared in the next couple of days.
Full Changelog: nodejs/undici@v5.28.2...v5.28.3
v5.28.2
Compare Source
What's Changed
node:
prefix by @tsctx in https://github.com/nodejs/undici/pull/2471null
type tosignal
inRequestInit
by @gebsh in https://github.com/nodejs/undici/pull/2455New Contributors
Full Changelog: nodejs/undici@v5.28.1...v5.28.2
v5.28.1
Compare Source
What's Changed
normalizeMethod
by @tsctx in https://github.com/nodejs/undici/pull/2456Full Changelog: nodejs/undici@v5.28.0...v5.28.1
v5.28.0
Compare Source
What's Changed
substring
instead ofsubstr
by @tsctx in https://github.com/nodejs/undici/pull/2411Headers#set
correctly by @tsctx in https://github.com/nodejs/undici/pull/2432Headers#delete
correctly by @tsctx in https://github.com/nodejs/undici/pull/2430onHeaders
type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444path
matching inintercept()
by @oliversalzburg in https://github.com/nodejs/undici/pull/2426New Contributors
Full Changelog: nodejs/undici@v5.27.2...v5.28.0
v5.27.2
Compare Source
Full Changelog: nodejs/undici@v5.27.1...v5.27.2
v5.27.1
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.27.0...v5.27.1
v5.27.0
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.5...v5.27.0
v5.26.5
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.4...v5.26.5
v5.26.4
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.26.3...v5.26.4
v5.26.3
Compare Source
v5.26.2
Compare Source
Security Release, CVE-2023-45143.
v5.26.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
Compare Source
What's Changed
node
by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310--max-http-header-size
Node.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234New Contributors
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.4
Compare Source
v5.25.3
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Compare Source
Notable Changes
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
v5.23.0
Compare Source
What's Changed
autoselectfamily
on platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197addAbortListener
where applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195New Contributors
Full Changelog: nodejs/undici@v5.22.1...v5.23.0
v5.22.1
Compare Source
What's Changed
New Contributors
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.