SCA: security update for undici (GHSA-8qr4-xgw6-wmr3)

critical Tenable Self-Hosted Container Security Plugin ID 412814

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side
Request Forgery) when an application takes in **user input** into the `path/pathname` option of
`undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici
= require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of
processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when
`http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to
`http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can
result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change
because the specified path parameter is combined with the base URL. This issue was fixed in
`[email protected]`. The best workaround is to validate user input before passing it to the `undici.request`
call. (CVE-2022-35949)

See Also

https://github.com/advisories/GHSA-8qr4-xgw6-wmr3

Plugin Details

Severity: Critical

ID: 412814

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-35949

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/18/2022

Vulnerability Publication Date: 8/12/2022

Reference Information

CVE: CVE-2022-35949

cwe: CWE-918