Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency undici to v5.28.4 [security] - autoclosed #522

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) 5.5.1 -> 5.28.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-31151

Impact

Authorization headers are already cleared on cross-origin redirect in
https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.

However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in v5.8.0.

Workarounds

By default, this vulnerability is not exploitable.
Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

https://hackerone.com/reports/1635514
https://curl.se/docs/CVE-2018-1000007.html
https://curl.se/docs/CVE-2022-27776.html

For more information

If you have any questions or comments about this advisory:

CVE-2022-31150

Impact

It is possible to inject CRLF sequences into request headers in Undici.

const undici = require('undici')

const response = undici.request("http://127.0.0.1:1000", {
  headers: {'a': "\r\nb"}
})

The same applies to path and method

Patches

Update to v5.8.0

Workarounds

Sanitize all HTTP headers from untrusted sources to eliminate \r\n.

References

https://hackerone.com/reports/409943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

For more information

If you have any questions or comments about this advisory:

CVE-2022-35949

Impact

undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request.

If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1

const undici = require("undici")
undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})

Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1.

If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.

Patches

This issue was fixed in undici@5.8.1.

Workarounds

The best workaround is to validate user input before passing it to the undici.request call.

For more information

If you have any questions or comments about this advisory:

CVE-2022-35948

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

  1. http://localhost:3000/
  2. http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

CVE-2023-23936

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

CVE-2023-24807

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

Credits

Carter Snook reported this vulnerability.

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.


Release Notes

nodejs/undici (undici)

v5.28.4

Compare Source

⚠️ Security Release ⚠️

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

v5.22.1

Compare Source

What's Changed

New Contributors


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 16, 2023
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 10 times, most recently from c3ba3b5 to 3a943cf Compare March 22, 2023 23:10
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 11 times, most recently from 74ea084 to 646cf5c Compare March 30, 2023 22:19
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 646cf5c to 2969bbd Compare March 31, 2023 03:25
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 3 times, most recently from 13bbf9f to 612efb7 Compare April 17, 2023 21:04
@renovate renovate bot changed the title chore(deps): update dependency undici to v5.8.2 [security] chore(deps): update dependency undici to v5.8.2 [security] - autoclosed Apr 26, 2023
@renovate renovate bot closed this Apr 26, 2023
@renovate renovate bot deleted the renovate/npm-undici-vulnerability branch April 26, 2023 02:22
@renovate renovate bot changed the title chore(deps): update dependency undici to v5.8.2 [security] - autoclosed chore(deps): update dependency undici to v5.8.2 [security] Apr 26, 2023
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 5 times, most recently from e6369e6 to fa51dc3 Compare September 27, 2024 19:32
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 4 times, most recently from a6f81e6 to 7d9e3c7 Compare October 9, 2024 04:08
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 6 times, most recently from bf54409 to 35b4676 Compare October 23, 2024 20:22
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch 8 times, most recently from 63c34aa to 036f231 Compare October 31, 2024 23:23
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 036f231 to 20be6f8 Compare November 3, 2024 07:15
@renovate renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 20be6f8 to 7a940ab Compare November 5, 2024 04:26
Copy link
Contributor Author

renovate bot commented Nov 18, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @commitlint/load@npm:19.5.0 doesn't provide @types/node (pf5ec2), requested by cosmiconfig-typescript-loader
➤ YN0002: │ @commitlint/load@npm:19.5.0 doesn't provide typescript (p5d62b), requested by cosmiconfig-typescript-loader
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 574ms
➤ YN0000: ┌ Fetch step
➤ YN0013: │ 486 packages were already cached, 2 had to be fetched
➤ YN0000: └ Completed in 1s 497ms
➤ YN0000: ┌ Link step
➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
➤ YN0007: │ lodepng@npm:2.1.0 must be built because it never has been before or the last one failed
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info it worked if it ends with ok
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info using node-gyp@9.1.0
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info using node@22.12.0 | linux | x64
➤ YN0000: │ lodepng@npm:2.1.0 STDERR (node:1021) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
➤ YN0000: │ lodepng@npm:2.1.0 STDERR (Use `node --trace-deprecation ...` to show where the warning was created)
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info find Python using Python version 3.12.3 found at "/usr/bin/python3"
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp http GET https://nodejs.org/download/release/v22.12.0/node-v22.12.0-headers.tar.gz
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp http 200 https://nodejs.org/download/release/v22.12.0/node-v22.12.0-headers.tar.gz
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp http GET https://nodejs.org/download/release/v22.12.0/SHASUMS256.txt
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp http 200 https://nodejs.org/download/release/v22.12.0/SHASUMS256.txt
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn /usr/bin/python3
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args [
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/gyp/gyp_main.py',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   'binding.gyp',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-f',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   'make',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-I',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/lodepng-npm-2.1.0-2da8eb7aa0/node_modules/lodepng/build/config.gypi',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-I',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/addon.gypi',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-I',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '/home/ubuntu/.cache/node-gyp/22.12.0/include/node/common.gypi',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dlibrary=shared_library',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dvisibility=default',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dnode_root_dir=/home/ubuntu/.cache/node-gyp/22.12.0',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dnode_gyp_dir=/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dnode_lib_file=/home/ubuntu/.cache/node-gyp/22.12.0/<(target_arch)/node.lib',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dmodule_root_dir=/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/lodepng-npm-2.1.0-2da8eb7aa0/node_modules/lodepng',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Dnode_engine=v8',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '--depth=.',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '--no-parallel',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '--generator-output',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   'build',
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args   '-Goutput_dir=.'
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp info spawn args ]
➤ YN0000: │ lodepng@npm:2.1.0 STDERR Traceback (most recent call last):
➤ YN0000: │ lodepng@npm:2.1.0 STDERR   File "/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/gyp/gyp_main.py", line 42, in <module>
➤ YN0000: │ lodepng@npm:2.1.0 STDERR     import gyp  # noqa: E402
➤ YN0000: │ lodepng@npm:2.1.0 STDERR     ^^^^^^^^^^
➤ YN0000: │ lodepng@npm:2.1.0 STDERR   File "/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/gyp/pylib/gyp/__init__.py", line 9, in <module>
➤ YN0000: │ lodepng@npm:2.1.0 STDERR     import gyp.input
➤ YN0000: │ lodepng@npm:2.1.0 STDERR   File "/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/gyp/pylib/gyp/input.py", line 19, in <module>
➤ YN0000: │ lodepng@npm:2.1.0 STDERR     from distutils.version import StrictVersion
➤ YN0000: │ lodepng@npm:2.1.0 STDERR ModuleNotFoundError: No module named 'distutils'
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! configure error 
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! stack Error: `gyp` failed with exit code: 1
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! stack     at ChildProcess.onCpExit (/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/lib/configure.js:284:16)
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! stack     at ChildProcess.emit (node:events:524:28)
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! stack     at ChildProcess._handle.onexit (node:internal/child_process:293:12)
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! System Linux 6.1.102
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! command "/opt/containerbase/tools/node/22.12.0/bin/node" "/tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/node-gyp-npm-9.1.0-2091059b31/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! cwd /tmp/renovate/repos/github/bitomic/wikiactivity/.yarn/unplugged/lodepng-npm-2.1.0-2da8eb7aa0/node_modules/lodepng
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! node -v v22.12.0
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! node-gyp -v v9.1.0
➤ YN0000: │ lodepng@npm:2.1.0 STDERR gyp ERR! not ok 
➤ YN0009: │ lodepng@npm:2.1.0 couldn't be built successfully (exit code 1, logs can be found here: /tmp/xfs-3fcbcc72/build.log)
➤ YN0000: └ Completed in 4s 366ms
➤ YN0000: Failed with errors in 6s 497ms

@renovate renovate bot changed the title chore(deps): update dependency undici to v5.28.4 [security] chore(deps): update dependency undici to v5.28.4 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-undici-vulnerability branch December 8, 2024 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants