{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/undici--8.0.0--8.5.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["undici (\u003e= 7.23.0, \u003c 7.28.0)","undici (\u003e= 8.0.0, \u003c 8.5.0)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","tls-bypass","node.js","npm"],"_cs_type":"advisory","_cs_vendors":["undici"],"content_html":"\u003cp\u003eThe \u003ccode\u003eundici\u003c/code\u003e HTTP/1.1 client for Node.js, specifically its \u003ccode\u003eProxyAgent\u003c/code\u003e component, is affected by CVE-2026-9697, a critical TLS certificate validation bypass vulnerability. This flaw, introduced in \u003ccode\u003eundici\u003c/code\u003e versions 7.23.0 and 8.0.0, occurs when the \u003ccode\u003eProxyAgent\u003c/code\u003e is configured to use a SOCKS5 proxy. In such scenarios, the \u003ccode\u003erequestTls\u003c/code\u003e option, intended for strict TLS validation (e.g., pinning to internal CAs or custom certificates), is silently ignored. As a result, HTTPS connections established through the SOCKS5 tunnel default to Node.js's standard trust store. This allows an attacker, capable of performing a Man-in-the-Middle (MITM) attack, to present any valid certificate signed by a publicly trusted Certificate Authority, thereby bypassing the application's intended certificate pinning and enabling the interception and potential manipulation of encrypted traffic. Defenders should prioritize patching and reassess network configurations involving \u003ccode\u003eundici\u003c/code\u003e and SOCKS5 proxies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Attacker Pre-condition):\u003c/strong\u003e An attacker establishes a Man-in-the-Middle (MITM) position, enabling them to intercept network traffic between a vulnerable Node.js application and its target HTTPS server (e.g., via DNS poisoning, rogue Wi-Fi, compromised network infrastructure, or controlling the SOCKS5 proxy itself).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Application Execution:\u003c/strong\u003e A Node.js application, utilizing \u003ccode\u003eundici\u003c/code\u003e's \u003ccode\u003eProxyAgent\u003c/code\u003e (or \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e directly) with a SOCKS5 proxy URI (e.g., \u003ccode\u003esocks5://proxy.attacker.com\u003c/code\u003e), attempts to establish an HTTPS connection to a target server, while being configured to enforce strict TLS validation via the \u003ccode\u003erequestTls\u003c/code\u003e option (e.g., pinning to a custom Certificate Authority).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTLS Option Dropped:\u003c/strong\u003e Due to the vulnerability (CVE-2026-9697), \u003ccode\u003eundici\u003c/code\u003e's \u003ccode\u003eProxyAgent\u003c/code\u003e silently disregards the \u003ccode\u003erequestTls\u003c/code\u003e configuration (including \u003ccode\u003eca\u003c/code\u003e, \u003ccode\u003ecert\u003c/code\u003e, \u003ccode\u003ekey\u003c/code\u003e, \u003ccode\u003erejectUnauthorized\u003c/code\u003e, \u003ccode\u003eservername\u003c/code\u003e) that was specified for the outgoing HTTPS connection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFallback to Default Trust Store:\u003c/strong\u003e The vulnerable application proceeds to establish the HTTPS connection, but instead of using the application's defined \u003ccode\u003erequestTls\u003c/code\u003e settings, it defaults to Node.js's standard trust store (typically the Mozilla CA bundle) for validating the target server's certificate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Certificate Presentation:\u003c/strong\u003e The attacker, from their MITM vantage point, intercepts the TLS handshake and presents a valid HTTPS certificate for the target hostname, which is signed by \u003cem\u003eany\u003c/em\u003e publicly trusted Certificate Authority.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCertificate Acceptance and MITM:\u003c/strong\u003e The vulnerable application, now relying on the default trust store, accepts the attacker's certificate as legitimate because it is signed by a publicly trusted CA. This bypasses the application's intended strict TLS pinning and validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Interception and Tampering:\u003c/strong\u003e The attacker can now transparently decrypt, inspect, modify, and re-encrypt the HTTPS traffic flowing between the vulnerable Node.js application and the legitimate target server, allowing for full Man-in-the-Middle capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-9697 is severe for applications relying on \u003ccode\u003eundici\u003c/code\u003e's \u003ccode\u003eProxyAgent\u003c/code\u003e with SOCKS5 proxies for secure HTTPS communication, especially those implementing certificate pinning or custom CA trust. If exploited, an attacker positioned in a Man-in-the-Middle (MITM) role can completely bypass intended TLS security controls. This allows them to intercept sensitive data transmitted over HTTPS, including credentials, personal identifiable information (PII), and proprietary business data. Furthermore, the attacker can tamper with this data, potentially leading to unauthorized transactions, data corruption, or execution of malicious commands within the application's context. While specific victim counts are not available, any organization using affected \u003ccode\u003eundici\u003c/code\u003e versions in conjunction with SOCKS5 proxies for critical application-to-application communication is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade undici immediately:\u003c/strong\u003e Upgrade affected Node.js applications to \u003ccode\u003eundici\u003c/code\u003e v7.28.0 or v8.5.0 to remediate CVE-2026-9697.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy package version detection:\u003c/strong\u003e Deploy the provided Sigma rule \u0026quot;Detect Vulnerable undici Package Versions (CVE-2026-9697)\u0026quot; to identify affected systems within your environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement workaround if upgrade isn't possible:\u003c/strong\u003e If an immediate upgrade is not feasible, reconfigure \u003ccode\u003eProxyAgent\u003c/code\u003e to route traffic through an HTTP-proxy instead of SOCKS5 when \u003ccode\u003erequestTls\u003c/code\u003e is required for strict validation, as \u003ccode\u003erequestTls\u003c/code\u003e is honored correctly for HTTP proxies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor for Node.js SOCKS5 usage:\u003c/strong\u003e Deploy the \u0026quot;Detect Node.js Process Initiating SOCKS5 Proxy Connection\u0026quot; Sigma rule to identify Node.js applications potentially using SOCKS5 proxies, which may indicate vulnerable configurations if combined with \u003ccode\u003eundici\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:51:27Z","date_published":"2026-06-18T14:51:27Z","id":"https://feed.craftedsignal.io/briefs/2026-06-undici-tls-bypass/","summary":"A vulnerability in undici's ProxyAgent, when configured with a SOCKS5 proxy, causes the `requestTls` option to be silently dropped. This bypasses user-configured TLS certificate validation settings (e.g., custom CAs), allowing HTTPS connections through the SOCKS5 tunnel to fall back to the Node.js default trust store. This flaw enables Man-in-the-Middle (MITM) attacks, where any publicly-trusted certificate for the target hostname would be accepted, compromising the intended certificate pinning and allowing attackers to read or tamper with HTTPS traffic.","title":"undici TLS Validation Bypass via SOCKS5 ProxyAgent (CVE-2026-9697)","url":"https://feed.craftedsignal.io/briefs/2026-06-undici-tls-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Undici (\u003e= 8.0.0, \u003c 8.5.0)","version":"https://jsonfeed.org/version/1.1"}