CVE-2022-32210

Name of the Vulnerable Software and Affected Versions Undici versions prior to 5.5.1

Description The issue is related to errors in the certificate authentication procedure of the Undici module in Node.js, which can allow a remote attacker to access protected information. Specifically, Undici.ProxyAgent never verifies the remote server's certificate and exposes all request and response data to the proxy. This means that proxies can perform man-in-the-middle (MitM) attacks on all HTTPS traffic. If the proxy's URL is HTTP, then nominally HTTPS requests are sent via plain-text HTTP between Undici and the proxy server.

Recommendations For versions prior to 5.5.1, update to version 5.5.1 or later to resolve the issue. As a temporary workaround, consider not using ProxyAgent as a dispatcher for TLS connections until a patch is applied.