CVE-2022-35949 Overview
CVE-2022-35949 is a Server-Side Request Forgery (SSRF) vulnerability in undici, a high-performance HTTP/1.1 client written from scratch for Node.js. The vulnerability exists in how the library handles the path/pathname option of undici.request when processing user-supplied input.
When an application passes user input into the path or pathname parameter of undici.request, an attacker can manipulate the request destination by providing specially crafted URLs such as http://127.0.0.1 or //127.0.0.1. Instead of treating this as a relative path appended to the base URL, the library incorrectly processes it as an absolute URL, causing requests to be sent to an attacker-controlled destination.
Critical Impact
This SSRF vulnerability allows attackers to bypass hostname restrictions and redirect requests to internal services, potentially accessing sensitive resources, internal APIs, or cloud metadata endpoints that should not be externally accessible.
Affected Products
- nodejs undici (versions prior to 5.8.1)
Discovery Timeline
- 2022-08-12 - CVE-2022-35949 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-35949
Vulnerability Analysis
The vulnerability stems from a fundamental flaw in how undici handles URL construction when combining user-provided path parameters with a base origin URL. When developers pass user input into the path parameter of undici.request, they reasonably assume that the hostname will remain fixed to the configured origin. However, due to the behavior of JavaScript's URL constructor, if the path parameter contains an absolute URL or a protocol-relative URL (starting with //), the resulting request is redirected to an entirely different host.
For example, when a developer configures a request with origin: "http://example.com" and a user supplies pathname: "//127.0.0.1", the expectation would be a request to http://example.com//127.0.0.1. Instead, the URL constructor interprets //127.0.0.1 as a protocol-relative URL, overriding the origin and sending the request to http://127.0.0.1/. This allows attackers to probe internal networks, access cloud instance metadata services (such as 169.254.169.254), or interact with localhost services.
Root Cause
The root cause lies in the unsafe usage of JavaScript's URL constructor with user-controlled input. When new URL(path, origin) is called, if the path parameter is an absolute URL, the origin (second parameter) is completely ignored. The undici library failed to properly sanitize or validate the path parameter to ensure it remained a relative path before passing it to the URL constructor.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker needs to find an application endpoint that accepts user input and passes it to the path or pathname option of undici.request. The attack requires no user interaction and can be executed with a simple malicious input string such as //127.0.0.1 or http://internal-service/.
// Vulnerable usage pattern
const undici = require("undici")
// Developer expects request to go to example.com
// But attacker-controlled pathname causes SSRF
undici.request({
origin: "http://example.com",
pathname: "//127.0.0.1" // Attacker input
})
// Request actually goes to http://127.0.0.1/
The security patch addresses this by ensuring paths always start with a forward slash and by concatenating the origin and path as strings rather than relying on the URL constructor's potentially dangerous base URL behavior:
// Security patch in index.js
throw new InvalidArgumentError('invalid opts.path')
}
- url = new URL(opts.path, util.parseOrigin(url))
+ let path = opts.path
+ if (!opts.path.startsWith('/')) {
+ path = `/${path}`
+ }
+
+ url = new URL(util.parseOrigin(url).origin + path)
} else {
if (!opts) {
opts = typeof url === 'object' ? url : {}
Source: GitHub Commit Reference
// Security patch in lib/core/util.js
const port = url.port != null
? url.port
: (url.protocol === 'https:' ? 443 : 80)
- const origin = url.origin != null
+ let origin = url.origin != null
? url.origin
: `${url.protocol}//${url.hostname}:${port}`
- const path = url.path != null
+ let path = url.path != null
? url.path
: `${url.pathname || ''}${url.search || ''}`
- url = new URL(path, origin)
+ if (origin.endsWith('/')) {
+ origin = origin.substring(0, origin.length - 1)
+ }
+
+ if (path && !path.startsWith('/')) {
+ path = `/${path}`
+ }
+ // new URL(path, origin) is unsafe when `path` contains an absolute URL
+ // From https://developer.mozilla.org/en-US/docs/Web/API/URL/URL:
+ // If first parameter is a relative URL, second param is required, and will be used as the base URL.
+ // If first parameter is an absolute URL, a given second param will be ignored.
+ url = new URL(origin + path)
}
return url
Source: GitHub Commit Reference
Detection Methods for CVE-2022-35949
Indicators of Compromise
- Unexpected outbound HTTP requests from Node.js applications to internal IP addresses (127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) from application servers
- HTTP requests containing path parameters starting with // or containing full URLs like http:// or https://
- Unusual response patterns indicating access to internal services
Detection Strategies
- Monitor application logs for user-supplied path values containing absolute URLs or protocol-relative URLs (starting with //)
- Implement web application firewall (WAF) rules to detect and block requests with suspicious path patterns
- Deploy network-level monitoring to identify unexpected connections from application servers to internal resources
- Audit dependency versions using npm audit or similar tools to identify vulnerable undici versions
Monitoring Recommendations
- Enable detailed logging for all undici.request calls, particularly capturing the path and origin parameters
- Set up alerts for any outbound requests from application servers to localhost or private IP ranges
- Monitor for failed connection attempts to internal services that may indicate SSRF probing
- Implement egress filtering to restrict application servers from making arbitrary outbound connections
How to Mitigate CVE-2022-35949
Immediate Actions Required
- Update undici to version 5.8.1 or later immediately using npm update undici or yarn upgrade undici
- Audit all code paths where user input is passed to undici.request path or pathname parameters
- Implement strict input validation for any user-controlled URL components before passing them to undici
- Review application logs for evidence of exploitation attempts
Patch Information
The vulnerability was fixed in undici version 5.8.1. The patch ensures that user-supplied path values are properly sanitized by prepending a forward slash if missing and using string concatenation instead of the URL constructor's base URL behavior. For detailed technical changes, refer to the GitHub Security Advisory GHSA-8qr4-xgw6-wmr3 and the official release v5.8.2.
Workarounds
- Validate user input before passing it to undici.request to ensure it does not contain absolute URLs or protocol-relative URLs
- Implement an allowlist of permitted path patterns and reject any input that doesn't match
- Use URL parsing to extract only the pathname component and reject input containing hostname or protocol information
- Consider implementing a proxy or gateway that validates and sanitizes outbound requests
# Update undici to patched version
npm update undici
# Verify installed version
npm list undici
# Run security audit
npm audit
# Force update if needed
npm install undici@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
