CVE-2022-32210

MEDIUM

Undici 4.8.2-5.5.0 - Improper Certificate Validation in ProxyAgent

Title source: llm
STIX 2.1

Description

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

References (2)

Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1583680
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33

Scores

CVSS v3 6.5
EPSS 0.0013
EPSS Percentile 31.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CWE
CWE-295
Status published
Products (2)
nodejs/undici 4.8.2 - 5.5.1
npm/undici 4.8.2 - 5.5.1npm
Published Jul 14, 2022
Tracked Since Feb 18, 2026