Nodejs Undici vulnerabilities

CVE-2022-31150 [MEDIUM] CWE-93 CVE-2022-31150: undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequen undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

CVE-2022-32210 [MEDIUM] CWE-295 CVE-2022-32210: `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.