Impact
Undici’s ProxyAgent incorrectly discards the requestTls configuration when a SOCKS5 proxy URI is provided. As a result, the HTTPS connection through the SOCKS5 tunnel falls back to Node.js’s default trust store, ignoring custom TLS options such as ca, cert, key, rejectUnauthorized, and servername that the application supplies. When an application relies on requestTls to pin its connection to an internal or corporate CA, the fallback to the default Mozilla CA bundle means that any certificate signed by a publicly trusted CA for the target hostname is accepted, breaking the intended pinning and allowing an attacker to read or tamper with the traffic.
Affected Systems
The vulnerability affects the undici library. Versions 7.23.0 through 7.27.x and 8.0.0 through 8.4.x are impacted until the fix is applied in undici 7.28.0 or 8.5.0. Deployments that bundle undici, such as Red Hat Hummingbird 1, are also affected.
Risk and Exploitability
The CVSS v3.1 score of 7.4 classifies this as a high‑severity flaw. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. To exploit the flaw an attacker must control or influence the SOCKS5 proxy used by the application; the proxy can then present a certificate signed by a public CA that is otherwise rejected by the application if requestTls was honored. Successful exploitation results in a MITM that can read and modify HTTPS traffic.
OpenCVE Enrichment
Github GHSA