Package Instance

`undici.request` vulnerable to SSRF using absolute URL on `pathname`
### Impact

`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.

If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1`

```js
const undici = require("undici")
undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
```

Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`.

If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.

### Patches

This issue was fixed in `undici@5.8.1`.

### Workarounds

The best workaround is to validate user input before passing it to the `undici.request` call.

## For more information
If you have any questions or comments about this advisory:

- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)
- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
### Impact

`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.

Example:

```
import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})
```

The above snippet will perform two requests in a single `request` API call:

1) `http://localhost:3000/`
2) `http://localhost:3000/foo2`

### Patches

This issue was patched in Undici v5.8.1

### Workarounds

Sanitize input when sending content-type headers using user input.

## For more information
If you have any questions or comments about this advisory:

- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)
- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document