undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3251-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3250-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3196-1 advisory.

  - npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or     with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm     publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published     files into the npm registry they did not intend to include. Users should upgrade to the latest, patched     version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0     include the patched v8.11.0 version of npm. (CVE-2022-29244)

  - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences     into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0.
    Sanitizing all HTTP headers from untrusted sources to eliminate `\r ` is a workaround for this issue.
    (CVE-2022-31150)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to
    _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the     `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput =     'application/json\r \r GET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET',     headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two     requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This     issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a     workaround. (CVE-2022-35948)

  - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side     Request Forgery) when an application takes in **user input** into the `path/pathname` option of     `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici     = require(undici) undici.request({origin: http://example.com, pathname: //127.0.0.1}) ``` Instead of     processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when     `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to     `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can     result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change     because the specified path parameter is combined with the base URL. This issue was fixed in     `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request`     call. (CVE-2022-35949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
195166	GLSA-202405-29 : Node.js: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
164977	SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3251-1)	Nessus	SuSE Local Security Checks	critical
164969	SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:3250-1)	Nessus	SuSE Local Security Checks	critical
164902	SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3196-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2022-35949

critical

Tenable Plugins

critical

critical

critical

critical