Skip to main content

Undici CVE-2022-32210

MEDIUM
Improper Certificate Validation (CWE-295)
2022-07-14 support@hackerone.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 14, 2022 - 15:15 nvd
MEDIUM 6.5

DescriptionNVD

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

AnalysisAI

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-295. Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. Affected products include: Nodejs Undici.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Undici

View all
CVE-2022-35949 CRITICAL POC
9.8 Aug 12

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forge

CVE-2026-12151 HIGH POC
7.5 Jun 17

Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com

CVE-2022-31151 MEDIUM POC
6.5 Jul 21

Authorization headers are cleared on cross-origin redirect. Rated medium severity (CVSS 6.5), this vulnerability is remo

CVE-2023-23936 MEDIUM POC
5.4 Feb 16

Undici is an HTTP/1.1 client for Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,

CVE-2022-35948 MEDIUM POC
5.3 Aug 15

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection

CVE-2026-6734 HIGH
8.8 Jun 17

Cross-origin request misrouting in undici's Socks5ProxyAgent (introduced in 7.23.0, affecting all releases through 8.1.0

CVE-2026-9675 HIGH
7.5 Jun 17

Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t

CVE-2026-2229 HIGH
7.5 Mar 12

Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending

CVE-2026-1528 HIGH
7.5 Mar 12

Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal ca

CVE-2026-1526 HIGH
7.5 Mar 12

Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote

CVE-2024-30261 LOW POC
3.5 Apr 04

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is rem

CVE-2023-24807 HIGH
7.5 Feb 16

Undici is an HTTP/1.1 client for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

Share

CVE-2022-32210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy