CVE-2022-35949

Name of the Vulnerable Software and Affected Versions undici versions prior to 5.8.1

Description The issue is related to Server-side Request Forgery (SSRF) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1, it can result in an SSRF as the hostname can change because the specified path parameter is combined with the base URL. For example, using the undici.request call with origin set to "http://example.com" and pathname set to "//127.0.0.1" will process the request as http://127.0.0.1/ and send it to http://127.0.0.1. The path parameter of undici.request is vulnerable when user input is passed into it.

Recommendations To resolve the issue, update to undici@5.8.1 or later. As a temporary workaround, validate user input before passing it to the undici.request call to prevent SSRF attacks.