GHSA-8qr4-xgw6-wmr3
GitHub Security Advisory
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Advisory Details
### Impact
`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.
If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1`
```js
const undici = require("undici")
undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
```
Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`.
If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.
### Patches
This issue was fixed in `[email protected]`.
### Workarounds
The best workaround is to validate user input before passing it to the `undici.request` call.
## For more information
If you have any questions or comments about this advisory:
- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)
- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.