CVE-2022-33987
URL Redirection vulnerability in got (npm)
What is CVE-2022-33987 About?
The `got` package for Node.js, in versions prior to 11.8.5 and 12.1.0, contains a URL Redirection vulnerability. This allows the package to be redirected to a UNIX socket, potentially bypassing intended network restrictions and enabling local resource access. Exploitation likely requires control over the external resource a `got` request targets.
Affected Software
- got
- <11.8.5
- >12.0.0, <12.1.0
Technical Details
The got package for Node.js, specifically in versions before 11.8.5 and 12.1.0, is vulnerable to unexpected URL redirection. The package's internal redirect handling mechanism does not adequately restrict redirection targets. This flaw allows an attacker to craft a URL that, when processed by got, can result in a redirect to a UNIX socket path. Such a redirection bypasses typical network-based security controls and can enable access to local services or resources listening on UNIX sockets, which would otherwise be unreachable from a network-based request context. The attack relies on manipulating the URL that got processes, potentially through an external resource that got attempts to fetch, resulting in a malicious redirect header.
What is the Impact of CVE-2022-33987?
Successful exploitation may allow attackers to bypass network restrictions and redirect requests to local UNIX socket services, potentially gaining unauthorized access to internal resources or executing local commands.
What is the Exploitability of CVE-2022-33987?
Exploitation complexity could be moderate, as it likely requires control over the response of a server that got is requesting, allowing for the injection of a malicious redirect header to a UNIX socket path. No direct authentication to the got client is required; however, authenticated access to a server responding to got requests might be needed if that's the attack vector. This is generally a remote vulnerability if the got client is making requests based on untrusted external data. The primary prerequisite is that the got package is used in a context where it follows redirects from untrusted sources. Risk increases when got is used in applications that interact with external services that could be compromised or manipulated to send malicious redirect responses.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-33987?
About the Fix from Resolved Security
This patch blocks HTTP redirects from standard network URLs to UNIX socket URLs by checking for such cases and throwing an error if detected. This fixes CVE-2022-33987 by preventing attackers from redirecting client requests to unintended UNIX sockets, which could otherwise allow unintended access to local resources.
Available Upgrade Options
- got
- <11.8.5 → Upgrade to 11.8.5
- got
- >12.0.0, <12.1.0 → Upgrade to 12.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sindresorhus/got
- https://github.com/sindresorhus/got/pull/2047
- https://github.com/sindresorhus/got/releases/tag/v11.8.5
- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc
- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
- https://osv.dev/vulnerability/GHSA-pfrx-2q88-qq97
- https://github.com/sindresorhus/got/releases/tag/v11.8.5
- https://github.com/sindresorhus/got/pull/2047
- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
- https://github.com/sindresorhus/got/releases/tag/v12.1.0
What are Similar Vulnerabilities to CVE-2022-33987?
Similar Vulnerabilities: CVE-2021-23381 , CVE-2020-13768 , CVE-2019-1000010 , CVE-2018-1000007 , CVE-2017-16010
