CVE-2022-35949: CWE-918: Server-Side Request Forgery (SSRF) in nodejs undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
AI Analysis
Technical Summary
CVE-2022-35949 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Node.js HTTP/1.1 client library 'undici', which is designed for high-performance HTTP requests. The vulnerability arises when user input is passed directly into the 'path' or 'pathname' parameter of the undici.request() method without proper validation. Normally, the 'path' parameter is expected to be a relative path appended to a fixed origin URL. However, due to improper handling, if the user input includes a URL-like string such as 'http://127.0.0.1' or '//127.0.0.1', undici interprets this as an absolute URL and sends the request to the specified host (e.g., localhost) instead of appending it to the origin host. This behavior allows an attacker to coerce the server into making HTTP requests to internal or otherwise restricted network resources, potentially exposing sensitive internal services or data. The vulnerability affects undici versions up to and including 5.8.1 and was fixed in version 5.8.1. Exploitation requires that the application accepts user input that is passed unchecked to undici.request's 'path' parameter. No authentication or user interaction beyond supplying the input is necessary. No known exploits have been reported in the wild to date. The root cause is a failure to properly sanitize or validate user input before constructing the request URL, leading to SSRF via path parameter manipulation. The recommended fix is to upgrade undici to version 5.8.1 or later and to implement strict validation of user-supplied input to ensure it cannot override the intended hostname or protocol.
Potential Impact
For European organizations, this SSRF vulnerability poses a significant risk primarily to web applications and backend services that utilize the undici HTTP client and accept user-controlled input for HTTP requests. Successful exploitation can lead to unauthorized internal network scanning, access to internal-only services (such as databases, metadata services, or administrative interfaces), and potential data exfiltration or lateral movement within the network. This can compromise confidentiality and integrity of sensitive data and may also impact availability if internal services are manipulated or overwhelmed. Given that Node.js is widely used in web services across Europe, especially in fintech, e-commerce, and public sector applications, the vulnerability could be leveraged to bypass perimeter defenses. The SSRF can be a stepping stone for more complex attacks, including privilege escalation or supply chain compromise. While no exploits are currently known in the wild, the ease of exploitation and the potential to reach internal resources make this a medium to high risk for organizations that have not patched or mitigated the issue. The impact is especially critical for organizations with sensitive internal APIs or cloud metadata services exposed internally, as SSRF can be used to access these resources.
Mitigation Recommendations
1. Upgrade the undici library to version 5.8.1 or later immediately to incorporate the official fix. 2. Implement strict input validation and sanitization on all user inputs that influence HTTP request paths. Specifically, reject or sanitize inputs containing URL schemes (e.g., 'http://', '//') or IP addresses that could override the intended host. 3. Employ allowlisting for acceptable path formats and disallow absolute URLs or network addresses in the path parameter. 4. Use network segmentation and firewall rules to restrict server-side HTTP requests to only necessary external endpoints, preventing SSRF from reaching sensitive internal services. 5. Monitor application logs for unusual outbound HTTP requests, especially those targeting localhost (127.0.0.1), private IP ranges, or cloud metadata IPs (e.g., 169.254.169.254). 6. Conduct code reviews and security testing focusing on all uses of undici.request to ensure no user input is passed unchecked. 7. Consider implementing runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to detect and block suspicious requests. 8. Educate developers about the risks of SSRF and secure coding practices related to HTTP client usage.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Ireland
CVE-2022-35949: CWE-918: Server-Side Request Forgery (SSRF) in nodejs undici
Description
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.
AI-Powered Analysis
Technical Analysis
CVE-2022-35949 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Node.js HTTP/1.1 client library 'undici', which is designed for high-performance HTTP requests. The vulnerability arises when user input is passed directly into the 'path' or 'pathname' parameter of the undici.request() method without proper validation. Normally, the 'path' parameter is expected to be a relative path appended to a fixed origin URL. However, due to improper handling, if the user input includes a URL-like string such as 'http://127.0.0.1' or '//127.0.0.1', undici interprets this as an absolute URL and sends the request to the specified host (e.g., localhost) instead of appending it to the origin host. This behavior allows an attacker to coerce the server into making HTTP requests to internal or otherwise restricted network resources, potentially exposing sensitive internal services or data. The vulnerability affects undici versions up to and including 5.8.1 and was fixed in version 5.8.1. Exploitation requires that the application accepts user input that is passed unchecked to undici.request's 'path' parameter. No authentication or user interaction beyond supplying the input is necessary. No known exploits have been reported in the wild to date. The root cause is a failure to properly sanitize or validate user input before constructing the request URL, leading to SSRF via path parameter manipulation. The recommended fix is to upgrade undici to version 5.8.1 or later and to implement strict validation of user-supplied input to ensure it cannot override the intended hostname or protocol.
Potential Impact
For European organizations, this SSRF vulnerability poses a significant risk primarily to web applications and backend services that utilize the undici HTTP client and accept user-controlled input for HTTP requests. Successful exploitation can lead to unauthorized internal network scanning, access to internal-only services (such as databases, metadata services, or administrative interfaces), and potential data exfiltration or lateral movement within the network. This can compromise confidentiality and integrity of sensitive data and may also impact availability if internal services are manipulated or overwhelmed. Given that Node.js is widely used in web services across Europe, especially in fintech, e-commerce, and public sector applications, the vulnerability could be leveraged to bypass perimeter defenses. The SSRF can be a stepping stone for more complex attacks, including privilege escalation or supply chain compromise. While no exploits are currently known in the wild, the ease of exploitation and the potential to reach internal resources make this a medium to high risk for organizations that have not patched or mitigated the issue. The impact is especially critical for organizations with sensitive internal APIs or cloud metadata services exposed internally, as SSRF can be used to access these resources.
Mitigation Recommendations
1. Upgrade the undici library to version 5.8.1 or later immediately to incorporate the official fix. 2. Implement strict input validation and sanitization on all user inputs that influence HTTP request paths. Specifically, reject or sanitize inputs containing URL schemes (e.g., 'http://', '//') or IP addresses that could override the intended host. 3. Employ allowlisting for acceptable path formats and disallow absolute URLs or network addresses in the path parameter. 4. Use network segmentation and firewall rules to restrict server-side HTTP requests to only necessary external endpoints, preventing SSRF from reaching sensitive internal services. 5. Monitor application logs for unusual outbound HTTP requests, especially those targeting localhost (127.0.0.1), private IP ranges, or cloud metadata IPs (e.g., 169.254.169.254). 6. Conduct code reviews and security testing focusing on all uses of undici.request to ensure no user input is passed unchecked. 7. Consider implementing runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to detect and block suspicious requests. 8. Educate developers about the risks of SSRF and secure coding practices related to HTTP client usage.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-07-15T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf67d5
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 11:55:03 PM
Last updated: 8/16/2025, 8:41:57 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.