Debian Node-Undici vulnerabilities

CVE-2022-35949 [MEDIUM] CVE-2022-35949: node-undici - undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulne... undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://

CVE-2022-32210 [MEDIUM] CVE-2022-32210: node-undici - `Undici.ProxyAgent` never verifies the remote server's certificate, and always e... `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. Scope: local

CVE-2022-31151 [LOW] CVE-2022-31151: node-undici - Authorization headers are cleared on cross-origin redirect. However, cookie head... Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an