Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
Summary
undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly. A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js's default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution. This is an Important vulnerability. Applications using `undici`'s `ProxyAgent` with a SOCKS5 proxy URI will silently ignore user-configured TLS options, including custom Certificate Authorities. This bypasses intended security controls for HTTPS communication, enabling a remote attacker to perform Man-in-the-Middle attacks, potentially leading to information disclosure or arbitrary code execution in affected Red Hat products. Red Hat severity: Important — CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-295. Fixed by RHSA-2026:35841, RHSA-2026:34342, RHSA-2026:22380, RHSA-2026:22934, RHSA-2026:7378 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Cluster Observability Operator 1.5.0; Red Hat Hardened Images.
- cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494
- cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193
- cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981
- cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519
- nodejs25-main-25.9.0-1.1.hum1
- nodejs24-1:24.18.0-1.el10_2
- cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476
- rust-main-1.96.0-1.hum1
- cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753
- cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225
- cluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658
- nodejs26-main-26.3.0-1.2.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- nodejs24-1:24.18.0-1.el10_2
- cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519
- cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981
- cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193
- cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753
- cluster-observability-operator/logging-console-plugin-rhel9:1782841925
- cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225
- cluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658
- cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476
- cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494
- nodejs26-main-26.3.0-1.2.hum1
- rust-main-1.96.0-1.hum1
- nodejs25-main-25.9.0-1.1.hum1
- RHSA-2026:35841
- RHSA-2026:34342
- RHSA-2026:22380
- RHSA-2026:22934
- RHSA-2026:7378
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.