CVE-2026-9697
Modified Modified - Updated After Analysis

ProxyAgent TLS Option Bypass via SOCKS5 Proxy

Vulnerability report for CVE-2026-9697, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-07-07

Assigner: openjs

Description

Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nodejs undici From 7.23.0 (inc) to 7.28.0 (exc)
nodejs undici From 8.0.0 (inc) to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in undici's ProxyAgent when it is configured to use a SOCKS5 proxy URI (socks5:// or socks://). The ProxyAgent silently drops the requestTls option, which means that the HTTPS connection through the SOCKS5 tunnel does not use the user-configured TLS settings such as custom certificate authorities (CA), certificates, keys, or servername verification.

As a result, instead of using the intended internal or corporate CA for certificate pinning, the connection falls back to Node's default trust store (Mozilla CA bundle). This causes the application to accept any certificate signed by any publicly-trusted CA for the target hostname, breaking the intended security pin and enabling man-in-the-middle (MITM) attacks where attackers can read and tamper with HTTPS traffic.

Compliance Impact

This vulnerability allows man-in-the-middle (MITM) attacks by bypassing TLS certificate validation when using a SOCKS5 proxy with undici's ProxyAgent. As a result, HTTPS traffic can be intercepted and tampered with, breaking the intended TLS pinning and trust restrictions.

Such interception and tampering of HTTPS traffic can lead to unauthorized access to sensitive data, which may violate data protection requirements in common standards and regulations like GDPR and HIPAA that mandate the protection of data in transit.

Therefore, applications affected by this vulnerability risk non-compliance with these regulations due to compromised confidentiality and integrity of transmitted data.

Impact Analysis

The vulnerability can lead to a serious security risk where HTTPS connections that are supposed to be restricted to trusted internal or corporate certificate authorities instead accept any publicly-trusted certificate. This breaks certificate pinning and allows attackers to perform man-in-the-middle (MITM) attacks.

  • Attackers can intercept and read sensitive HTTPS traffic.
  • Attackers can tamper with the data exchanged over HTTPS.
  • Confidentiality and integrity of the HTTPS communication are compromised.
Mitigation Strategies

To mitigate this vulnerability, upgrade undici to version 7.28.0 or 8.5.0, where the issue is fixed.

If upgrading is not immediately possible, route the traffic through an HTTP-proxy ProxyAgent instead of a SOCKS5 proxy, as the HTTP-proxy ProxyAgent honors the requestTls option correctly.

Detection Guidance

This vulnerability occurs when undici's ProxyAgent is configured with a SOCKS5 proxy URI (socks5:// or socks://) and silently drops the requestTls option, causing HTTPS connections to fall back to Node's default trust store instead of using user-configured TLS settings.

To detect if your system or network is affected, you should check if your application uses undici versions between 7.23.0 and 7.28.0 (inclusive) or 8.0.0 to 8.5.0 (inclusive) with a SOCKS5 proxy configuration.

You can verify the undici version installed by running the following command in your project directory:

  • npm list undici

To check if your application is using a SOCKS5 proxy URI with undici's ProxyAgent, review your application's proxy configuration files or environment variables for URIs starting with socks5:// or socks://.

Additionally, you can monitor network traffic to detect if HTTPS connections are being routed through a SOCKS5 proxy by inspecting proxy settings or network logs.

Since the vulnerability involves TLS certificate validation bypass, you might also detect unexpected certificates accepted by your application when connecting through the SOCKS5 proxy, which can be checked by enabling verbose TLS logging or debugging in your Node.js application.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart