CVE-2026-9697
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: openjs

Description
Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-9697
EUVD
EUVD-2026-37763
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nodejs undici From 7.23.0 (inc) to 7.28.0 (inc)
nodejs undici From 8.0.0 (inc) to 8.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in undici's ProxyAgent when it is configured to use a SOCKS5 proxy URI (socks5:// or socks://). The ProxyAgent silently drops the requestTls option, which means that the HTTPS connection through the SOCKS5 tunnel does not use the user-configured TLS settings such as custom certificate authorities (CA), certificates, keys, or servername verification.

As a result, instead of using the intended internal or corporate CA for certificate pinning, the connection falls back to Node's default trust store (Mozilla CA bundle). This causes the application to accept any certificate signed by any publicly-trusted CA for the target hostname, breaking the intended security pin and enabling man-in-the-middle (MITM) attacks where attackers can read and tamper with HTTPS traffic.

Impact Analysis

The vulnerability can lead to a serious security risk where HTTPS connections that are supposed to be restricted to trusted internal or corporate certificate authorities instead accept any publicly-trusted certificate. This breaks certificate pinning and allows attackers to perform man-in-the-middle (MITM) attacks.

  • Attackers can intercept and read sensitive HTTPS traffic.
  • Attackers can tamper with the data exchanged over HTTPS.
  • Confidentiality and integrity of the HTTPS communication are compromised.
Mitigation Strategies

To mitigate this vulnerability, upgrade undici to version 7.28.0 or 8.5.0, where the issue is fixed.

If upgrading is not immediately possible, route the traffic through an HTTP-proxy ProxyAgent instead of a SOCKS5 proxy, as the HTTP-proxy ProxyAgent honors the requestTls option correctly.

Compliance Impact

This vulnerability allows man-in-the-middle (MITM) attacks by bypassing TLS certificate validation when using a SOCKS5 proxy with undici's ProxyAgent. As a result, HTTPS traffic can be intercepted and tampered with, breaking the intended TLS pinning and trust restrictions.

Such interception and tampering of HTTPS traffic can lead to unauthorized access to sensitive data, which may violate data protection requirements in common standards and regulations like GDPR and HIPAA that mandate the protection of data in transit.

Therefore, applications affected by this vulnerability risk non-compliance with these regulations due to compromised confidentiality and integrity of transmitted data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart