Description
Impact:
undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.

Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.

Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.

Patches:
Upgrade to undici v7.28.0 or v8.5.0.

Workarounds:
No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.
Published: 2026-06-17
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Undici’s ProxyAgent incorrectly discards the requestTls configuration when a SOCKS5 proxy URI is provided. As a result, the HTTPS connection through the SOCKS5 tunnel falls back to Node.js’s default trust store, ignoring custom TLS options such as ca, cert, key, rejectUnauthorized, and servername that the application supplies. When an application relies on requestTls to pin its connection to an internal or corporate CA, the fallback to the default Mozilla CA bundle means that any certificate signed by a publicly trusted CA for the target hostname is accepted, breaking the intended pinning and allowing an attacker to read or tamper with the traffic.

Affected Systems

The vulnerability affects the undici library. Versions 7.23.0 through 7.27.x and 8.0.0 through 8.4.x are impacted until the fix is applied in undici 7.28.0 or 8.5.0. Deployments that bundle undici, such as Red Hat Hummingbird 1, are also affected.

Risk and Exploitability

The CVSS v3.1 score of 7.4 classifies this as a high‑severity flaw. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. To exploit the flaw an attacker must control or influence the SOCKS5 proxy used by the application; the proxy can then present a certificate signed by a public CA that is otherwise rejected by the application if requestTls was honored. Successful exploitation results in a MITM that can read and modify HTTPS traffic.

Generated by OpenCVE AI on June 18, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to version 7.28.0 or 8.5.0 to apply the vendor patch
  • If a library upgrade is not immediately possible, route traffic through an HTTP‑proxy ProxyAgent instead of the SOCKS5 ProxyAgent so that requestTls settings are respected
  • Audit application code and configurations to ensure that requestTls is not used in combination with a SOCKS5 proxy where certificate pinning is required, and adjust the proxy strategy or dependency versions accordingly

Generated by OpenCVE AI on June 18, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmh5-mc38-953g undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
History

Tue, 23 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.
Title undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-07-08T12:06:11.547Z

Reserved: 2026-05-27T12:02:46.825Z

Link: CVE-2026-9697

cve-icon Vulnrichment

Updated: 2026-07-07T12:05:08.372Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T16:46:42Z

Links: CVE-2026-9697 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-295

    Improper Certificate Validation