CVE-2022-33987 Overview
CVE-2022-33987 is a security vulnerability in the got HTTP request library for Node.js that allows attackers to redirect requests to UNIX sockets. The got package before version 12.1.0 (also fixed in 11.8.5) fails to properly validate redirect destinations, enabling malicious servers to redirect HTTP requests to local UNIX socket paths. This could allow attackers to interact with local services that communicate via UNIX sockets, potentially bypassing network security controls.
Critical Impact
Applications using vulnerable versions of the got package may be tricked into communicating with unintended local services through UNIX socket redirects, potentially exposing sensitive data or enabling further attacks on internal services.
Affected Products
- got versions prior to 12.1.0
- got versions prior to 11.8.5 (on the 11.x branch)
- Node.js applications using affected got versions
Discovery Timeline
- 2022-06-18 - CVE-2022-33987 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-33987
Vulnerability Analysis
This vulnerability exists in the HTTP redirect handling mechanism of the got package. When the library follows HTTP redirects, it fails to validate whether the redirect target is a legitimate HTTP/HTTPS URL versus a UNIX socket path. UNIX sockets are a form of inter-process communication (IPC) commonly used on Linux and macOS systems for local services to communicate securely without network overhead.
The vulnerability allows a malicious HTTP server to return a redirect response pointing to a UNIX socket path (e.g., /var/run/docker.sock). The got library would then attempt to connect to this socket, effectively allowing the attacker to proxy requests through the victim application to local services. This is particularly dangerous in containerized environments where UNIX sockets like Docker's socket may be mounted and accessible.
Root Cause
The root cause of CVE-2022-33987 is insufficient validation of redirect URLs in the got HTTP client library. The library did not properly sanitize or restrict the protocol schemes and destination types when processing HTTP redirect responses (3xx status codes). This oversight allowed redirect URLs pointing to UNIX socket paths to be followed without verification.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must control or compromise an HTTP server that a vulnerable application makes requests to. The attack flow is as follows:
- The victim application using a vulnerable got version makes an HTTP request to an attacker-controlled server
- The malicious server responds with an HTTP redirect (301, 302, 307, or 308) pointing to a UNIX socket path
- The got library follows the redirect and connects to the specified UNIX socket
- The attacker can now send arbitrary data to the local UNIX socket service through the victim application
This vulnerability could be chained with Server-Side Request Forgery (SSRF) attacks to access sensitive local services such as Docker daemon sockets, database sockets, or other IPC mechanisms.
Detection Methods for CVE-2022-33987
Indicators of Compromise
- Unexpected connections to UNIX socket files from Node.js processes
- HTTP redirect responses containing socket paths in application logs
- Anomalous activity on local services that communicate via UNIX sockets
- Network traffic patterns showing requests to external servers followed by local socket access
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify vulnerable got package versions in your dependency tree
- Monitor application logs for redirect URLs containing UNIX socket paths or unusual protocols
- Use runtime application security monitoring to detect unexpected UNIX socket connections
- Audit package.json and package-lock.json files for got versions below 12.1.0 or 11.8.5
Monitoring Recommendations
- Enable verbose logging for HTTP client libraries to capture redirect chains
- Monitor file system access patterns for Node.js applications, particularly access to common socket paths like /var/run/docker.sock
- Implement network egress monitoring to identify potentially malicious redirect servers
- Use container security tools to detect unexpected socket access in containerized environments
How to Mitigate CVE-2022-33987
Immediate Actions Required
- Upgrade the got package to version 12.1.0 or later for the 12.x branch
- Upgrade to version 11.8.5 or later if using the 11.x branch
- Audit all Node.js applications and their dependencies for vulnerable got versions
- Review and restrict which services can access UNIX sockets in your environment
Patch Information
The vulnerability has been patched in got versions 12.1.0 and 11.8.5. The fix introduces proper validation of redirect destinations to prevent redirects to UNIX socket paths. Technical details of the patch can be found in the GitHub Pull Request #2047 and the version comparison between v12.0.3 and v12.1.0. The v11.8.5 release notes document the backported fix for the 11.x branch.
Workarounds
- Implement application-level URL validation before making requests with got to block socket-based URLs
- Use network policies or firewall rules to restrict which external servers your applications can communicate with
- In containerized environments, avoid mounting UNIX sockets unless strictly necessary
- Consider using a proxy or gateway that validates redirect destinations before forwarding requests
# Update got package to patched version
npm update got
# Or install specific patched versions
npm install got@12.1.0
# For 11.x branch:
npm install got@11.8.5
# Verify installed version
npm list got
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
