@@ -87,6 +87,17 @@ meet the following criteria:
8787* Dependencies installed by the application.
8888* The DNS resolution results provided by the operating system or configured
8989 resolvers.
90+ * The network environment in which the process runs, including any private or
91+ internal networks it can reach, for the privacy of traffic on that network.
92+ Deployments that require stronger isolation, monitoring, or egress controls
93+ are responsible for providing them.
94+ * Any proxy server configured by the application, runtime, or environment.
95+ Proxies are trusted network intermediaries and must be authorized by the
96+ relevant network or deployment authority. Undici's proxy support is for
97+ routing traffic through such proxies, for example to reach external networks
98+ through a firewall; it is not intended to provide anonymity, hide traffic, or
99+ bypass organizational, regulatory, or legal controls. Untrusted proxies are
100+ outside the supported threat model.
90101
91102In other words, if untrusted data passing through undici to the application
92103can trigger actions other than those documented for the APIs, there is likely
@@ -172,6 +183,16 @@ lead to a loss of confidentiality, integrity, or availability.
172183 input to request options) are the application's responsibility, not
173184 vulnerabilities in undici.
174185
186+ #### Unauthorized or untrusted proxy use
187+
188+ * If an application configures undici to use a proxy that is untrusted,
189+ malicious, or not authorized by the relevant network or deployment authority,
190+ any resulting privacy loss, policy bypass, regulatory exposure, traffic
191+ manipulation, or unavailability is the deployment's responsibility. Undici
192+ cannot determine whether a proxy is authorized for a user's network or
193+ jurisdiction, and preventing use of proxies to hide traffic or evade controls
194+ is a non-goal.
195+
175196## Receiving security updates
176197
177198Security notifications will be distributed via
0 commit comments