Home > Vulnerability Database > CVE-2022-32210

Mend.io Vulnerability Database

CVE-2022-32210

Good to know:

Date: July 14, 2022

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Language: JS

Severity Score

6.5

Related Resources (6)

Url: https://github.com/nodejs/undici/commit/df4f7e0e95f5112322a96fd7a666cb28c1d48327

Url: https://security-tracker.debian.org/tracker/CVE-2022-32210

Url: https://hackerone.com/reports/1583680

Url: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-32210

Url: https://www.mend.io/vulnerability-database/CVE-2022-32210

Severity Score

6.5

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version undici - 5.5.1

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-32210

Good to know:

Date: July 14, 2022

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?