[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2022-35949":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":23,"aliases":33,"duplicate_of":9,"upstream":35,"downstream":36,"duplicates":47,"related":48,"reserved_at":9,"published_at":53,"modified_at":54,"state":55,"summary":56,"references_raw":64,"kevs":95,"epss":96,"epss_history":99,"metrics":373,"affected":386},"CVE-2022-35949","undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-918","Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.","weakness","Incomplete","Base",[19],{"id":20,"name":21,"techniques":22},"CAPEC-664","Server Side Request Forgery",[],[24],{"_key":25,"name":26,"source":27,"url":28,"maturity":29,"reliability_score":30,"verified":31,"type":9,"platforms":32,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_NODEJS_UNDICI","Undici","github","https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc","poc",0.3,false,[],[34],"GHSA-8qr4-xgw6-wmr3",[],[37,39,41,43,45],{"_key":38},"SUSE-SU-2022:3196-1",{"_key":40},"SUSE-SU-2022:3250-1",{"_key":42},"SUSE-SU-2022:3251-1",{"_key":44},"OPENSUSE-SU-2024:12285-1",{"_key":46},"DEBIAN-CVE-2022-35949",[],[49,50,51,52],{"_key":38},{"_key":40},{"_key":42},{"_key":44},"2022-08-12T00:00:00.000Z","2025-04-22T17:42:40.255Z","Modified",{"cisa_kev":31,"cisa_ransomware":31,"cisa_vendor":9,"epss_severity":57,"epss_score":58,"severity":59,"severity_score":60,"severity_version":61,"severity_source":62,"severity_vector":63,"severity_status":55},"low",0.0039,"critical",9.8,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[65,75,80,85,90],{"url":66,"sources":67,"tags":70},"https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3",[68,62,69],"cve.org","osv_npm",[71,72,73,74],"Exploit","Mitigation","Third Party Advisory","WEB",{"url":76,"sources":77,"tags":78},"https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895",[68,62,69],[79,73,74],"Patch",{"url":81,"sources":82,"tags":83},"https://github.com/nodejs/undici/releases/tag/v5.8.2",[68,62,69],[84,73,74],"Release Notes",{"url":86,"sources":87,"tags":88},"https://nvd.nist.gov/vuln/detail/CVE-2022-35949",[69],[89],"Advisory",{"url":91,"sources":92,"tags":93},"https://github.com/nodejs/undici",[69],[94],"PACKAGE",[],{"date":97,"score":58,"percentile":98},"2026-06-04",0.60359,[100,104,107,110,113,116,120,123,126,129,132,135,137,140,143,147,150,153,156,159,161,164,167,169,172,175,178,181,185,188,191,194,196,199,202,205,207,210,213,216,219,222,225,228,231,234,237,240,243,246,249,252,255,258,261,264,267,270,274,278,281,284,287,290,293,296,299,302,305,308,311,314,317,320,323,326,329,333,336,339,342,345,348,351,354,357,360,363,366,369],{"date":101,"score":102,"percentile":103},"2025-11-04",0.00424,0.6141,{"date":105,"score":102,"percentile":106},"2025-11-05",0.61398,{"date":108,"score":102,"percentile":109},"2025-11-06",0.61404,{"date":111,"score":102,"percentile":112},"2025-11-07",0.61419,{"date":114,"score":102,"percentile":115},"2025-11-08",0.61425,{"date":117,"score":118,"percentile":119},"2025-11-09",0.00418,0.61032,{"date":121,"score":118,"percentile":122},"2025-11-10",0.61009,{"date":124,"score":118,"percentile":125},"2025-11-11",0.61022,{"date":127,"score":118,"percentile":128},"2025-11-12",0.61048,{"date":130,"score":118,"percentile":131},"2025-11-13",0.61054,{"date":133,"score":118,"percentile":134},"2025-11-14",0.61062,{"date":136,"score":118,"percentile":131},"2025-11-15",{"date":138,"score":118,"percentile":139},"2025-11-16",0.61042,{"date":141,"score":118,"percentile":142},"2025-11-17",0.61043,{"date":144,"score":145,"percentile":146},"2025-11-18",0.00292,0.49528,{"date":148,"score":145,"percentile":149},"2025-11-19",0.49541,{"date":151,"score":145,"percentile":152},"2025-11-20",0.49529,{"date":154,"score":118,"percentile":155},"2025-11-21",0.61053,{"date":157,"score":118,"percentile":158},"2025-11-22",0.61058,{"date":160,"score":118,"percentile":142},"2025-11-23",{"date":162,"score":118,"percentile":163},"2025-11-24",0.6104,{"date":165,"score":118,"percentile":166},"2025-11-25",0.61047,{"date":168,"score":118,"percentile":128},"2025-11-26",{"date":170,"score":118,"percentile":171},"2025-11-27",0.61055,{"date":173,"score":118,"percentile":174},"2025-11-28",0.61037,{"date":176,"score":118,"percentile":177},"2025-11-29",0.61011,{"date":179,"score":118,"percentile":180},"2025-11-30",0.61002,{"date":182,"score":183,"percentile":184},"2025-12-01",0.00234,0.46148,{"date":186,"score":183,"percentile":187},"2025-12-02",0.46163,{"date":189,"score":183,"percentile":190},"2025-12-03",0.46156,{"date":192,"score":118,"percentile":193},"2025-12-04",0.60997,{"date":195,"score":118,"percentile":122},"2025-12-05",{"date":197,"score":118,"percentile":198},"2025-12-06",0.61005,{"date":200,"score":118,"percentile":201},"2025-12-07",0.61,{"date":203,"score":118,"percentile":204},"2025-12-08",0.61004,{"date":206,"score":118,"percentile":139},"2025-12-09",{"date":208,"score":118,"percentile":209},"2025-12-10",0.6109,{"date":211,"score":118,"percentile":212},"2025-12-11",0.6111,{"date":214,"score":118,"percentile":215},"2025-12-12",0.61133,{"date":217,"score":118,"percentile":218},"2025-12-13",0.61137,{"date":220,"score":118,"percentile":221},"2025-12-14",0.61136,{"date":223,"score":118,"percentile":224},"2025-12-15",0.61115,{"date":226,"score":118,"percentile":227},"2025-12-16",0.61135,{"date":229,"score":118,"percentile":230},"2025-12-17",0.61154,{"date":232,"score":118,"percentile":233},"2025-12-18",0.61192,{"date":235,"score":118,"percentile":236},"2025-12-19",0.61203,{"date":238,"score":118,"percentile":239},"2025-12-20",0.61204,{"date":241,"score":118,"percentile":242},"2025-12-21",0.61191,{"date":244,"score":118,"percentile":245},"2025-12-22",0.61181,{"date":247,"score":118,"percentile":248},"2025-12-23",0.61197,{"date":250,"score":118,"percentile":251},"2025-12-24",0.61207,{"date":253,"score":118,"percentile":254},"2025-12-25",0.6124,{"date":256,"score":118,"percentile":257},"2025-12-26",0.61236,{"date":259,"score":118,"percentile":260},"2025-12-27",0.61285,{"date":262,"score":118,"percentile":263},"2025-12-28",0.61212,{"date":265,"score":118,"percentile":266},"2025-12-29",0.61206,{"date":268,"score":118,"percentile":269},"2025-12-30",0.61221,{"date":271,"score":272,"percentile":273},"2025-12-31",0.00381,0.58948,{"date":275,"score":276,"percentile":277},"2026-01-01",0.00213,0.44014,{"date":279,"score":276,"percentile":280},"2026-01-02",0.43989,{"date":282,"score":276,"percentile":283},"2026-01-03",0.43979,{"date":285,"score":272,"percentile":286},"2026-01-04",0.58924,{"date":288,"score":272,"percentile":289},"2026-01-05",0.58916,{"date":291,"score":272,"percentile":292},"2026-01-06",0.58925,{"date":294,"score":272,"percentile":295},"2026-01-07",0.58953,{"date":297,"score":272,"percentile":298},"2026-01-08",0.58979,{"date":300,"score":272,"percentile":301},"2026-01-09",0.58985,{"date":303,"score":272,"percentile":304},"2026-01-10",0.58982,{"date":306,"score":272,"percentile":307},"2026-01-11",0.58964,{"date":309,"score":272,"percentile":310},"2026-01-12",0.58936,{"date":312,"score":272,"percentile":313},"2026-01-13",0.58909,{"date":315,"score":272,"percentile":316},"2026-01-14",0.58956,{"date":318,"score":272,"percentile":319},"2026-01-15",0.5896,{"date":321,"score":272,"percentile":322},"2026-01-16",0.58981,{"date":324,"score":272,"percentile":325},"2026-01-17",0.58975,{"date":327,"score":272,"percentile":328},"2026-01-18",0.58968,{"date":330,"score":331,"percentile":332},"2026-01-19",0.0037,0.58279,{"date":334,"score":331,"percentile":335},"2026-01-20",0.58287,{"date":337,"score":331,"percentile":338},"2026-01-21",0.58288,{"date":340,"score":331,"percentile":341},"2026-01-22",0.58286,{"date":343,"score":331,"percentile":344},"2026-01-23",0.58326,{"date":346,"score":331,"percentile":347},"2026-01-24",0.58334,{"date":349,"score":331,"percentile":350},"2026-01-25",0.58298,{"date":352,"score":331,"percentile":353},"2026-01-26",0.58282,{"date":355,"score":331,"percentile":356},"2026-01-27",0.58292,{"date":358,"score":331,"percentile":359},"2026-01-28",0.583,{"date":361,"score":331,"percentile":362},"2026-01-29",0.58303,{"date":364,"score":331,"percentile":365},"2026-01-30",0.58305,{"date":367,"score":331,"percentile":368},"2026-01-31",0.58306,{"date":370,"score":371,"percentile":372},"2026-02-01",0.00207,0.43029,[374,381,384],{"source":68,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":375,"cvss_v4_0":9},{"baseScore":376,"baseSeverity":377,"vectorString":378,"impactScore":379,"exploitabilityScore":380},5.3,"MEDIUM","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",2.3,10,{"source":62,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":382,"cvss_v4_0":9},{"baseScore":60,"baseSeverity":383,"vectorString":63,"impactScore":60,"exploitabilityScore":380},"CRITICAL",{"source":69,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":385,"cvss_v4_0":9},{"baseScore":376,"baseSeverity":9,"vectorString":378,"impactScore":379,"exploitabilityScore":380},[387,398],{"ecosystem":9,"name":388,"vendor":389,"product":388,"cpe_part":390,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":391},"undici","nodejs","a",[392],{"version":393,"is_range":394,"range_type":395,"version_start":9,"version_start_type":9,"version_end":396,"version_end_type":397,"fixed_in":9},"lte5.8.1",true,"cpe","5.8.1","including",{"ecosystem":399,"name":388,"vendor":399,"product":388,"cpe_part":9,"purl_type":400,"purl_namespace":9,"purl_name":388,"source":9,"versions":401},"Npm","npm",[402],{"version":403,"is_range":394,"range_type":404,"version_start":9,"version_start_type":9,"version_end":405,"version_end_type":406,"fixed_in":9},"lt5_8_2","semver","5.8.2","excluding"]