HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9697Published Modified CNA openjs

CVE-2026-9697: undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
7.28.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a TLS certificate validation bypass in undici's ProxyAgent component. When a SOCKS5 proxy URI is used alongside the requestTls option, undici silently drops the user-supplied TLS configuration (custom CA, client certificate, rejectUnauthorized, and servername settings), causing the HTTPS connection through the SOCKS5 tunnel to fall back to the default Mozilla CA bundle. An attacker positioned on the network path can present any certificate signed by a publicly-trusted CA for the target hostname, enabling man-in-the-middle reading and tampering of the HTTPS exchange. Patched-image rebuilds at undici 7.28.0 and 8.5.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle undici directly. Any image containing an affected undici version (7.23.0 through 7.27.x, or 8.0.0 through 8.4.x) is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 7.4 (HIGH) and can weight that score against each customer environment's compliance policy to reflect real-world exposure. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild targeting undici 7.28.0 or 8.5.0 becomes available through HarborGuard as soon as the fix versions are confirmed in the upstream registry. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network path between the undici client and the upstream HTTPS server (or control a node that can intercept the SOCKS5-tunneled connection) to carry out the man-in-the-middle attack.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerability is exploitable by any network-adjacent party without authenticating to the target application.

  • Victim interactionNot required

    No user action is needed; exploitation is entirely passive once the attacker is on the network path and the vulnerable application makes an outbound HTTPS request through the SOCKS5 proxy.

  • Attack complexityDetail

    Attack complexity is HIGH, meaning the attacker must arrange to intercept the specific network path of the SOCKS5-tunneled connection, which depends on network positioning rather than reliable, condition-free exploitation.

Blast Radius

  • The attacker reads the full plaintext of HTTPS request and response bodies, including any session tokens, API keys, or sensitive data transmitted through the SOCKS5 tunnel.
  • The attacker modifies HTTP requests or responses in transit, injecting or altering content that the application treats as trusted server output.
  • Custom CA pinning and mutual TLS client certificate controls are silently bypassed, so any certificate signed by a publicly-trusted CA is accepted for the target hostname.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against images containing undici 7.23.0 through 7.27.x and 8.0.0 through 8.4.x within minutes of CVE publication. For environments where the compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at undici 7.28.0 or 8.5.0, run a regression test pass, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Where an upgrade is not immediately possible and the SOCKS5 path is not strictly required, a network policy restricting outbound SOCKS5 proxy usage or rerouting affected services through an HTTP-proxy ProxyAgent (where requestTls is honored) can limit exposure until the rebuild is applied. HarborGuard will re-check the advisory on each ingest cycle and surface any downstream patch revisions automatically.

See how HarborGuard automates this

Fix available

7.28.08.5.0
Affected packages
  • undici / undici
    < 7.28.0 (from 7.23.0) · < 8.5.0 (from 8.0.0)
    Fixed in 7.28.0, 8.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References