undici
npm27 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting undicipage 1 of 1
- CVE-2022-31150MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.8.02022-07-19
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untru…
- CVE-2022-31151LOWCVSS 3.7EG 3.7✓ Fixed in 5.8.02022-07-21
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may l…
- CVE-2022-32210MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.5.12022-07-14
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also m…
- CVE-2022-35948MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.8.22022-08-15
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Exam…
- CVE-2022-35949MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.8.22022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifie…
- CVE-2023-23936MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.19.12023-02-16
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a wo…
- CVE-2023-24807HIGHCVSS 7.5EG 7.5✓ Fixed in 5.19.12023-02-16
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the function…
- CVE-2023-45143LOWCVSS 3.5EG 3.9✓ Fixed in 5.26.22023-10-12
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden r…
- CVE-2024-24750MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.6.12024-02-16
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in vers…
- CVE-2024-24758LOWCVSS 3.9EG 3.9✓ Fixed in 6.6.12024-02-16
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.…
- CVE-2024-30260LOWCVSS 3.9EG 3.9✓ Fixed in 6.11.12024-04-04
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 …
- CVE-2024-30261LOWCVSS 2.6EG 2.6✓ Fixed in 6.11.12024-04-04
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patche…
- CVE-2024-38372LOWCVSS 2.0EG 2.0✓ Fixed in 6.19.22024-07-08
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in…
- CVE-2025-22150MEDIUMCVSS 6.8EG 6.8✓ Fixed in 7.2.32025-01-21
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` c…
- CVE-2025-47279LOWCVSS 3.1EG 3.1✓ Fixed in 7.5.02025-05-15
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they ca…
- CVE-2026-11525LOWCVSS 3.7EG 3.7✓ Fixed in 8.5.02026-06-17
Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently map…
- CVE-2026-12151HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.02026-06-17
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continu…
- CVE-2026-1526HIGHCVSS 7.5EG 7.5✓ Fixed in 6.24.02026-03-12
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompres…
- CVE-2026-1528HIGHCVSS 7.5EG 7.5✓ Fixed in 6.24.02026-03-12
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.…
- CVE-2026-22036MEDIUMCVSS 5.9EG 5.9✓ Fixed in 6.23.02026-01-14
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high…
- CVE-2026-2229HIGHCVSS 7.5EG 7.5✓ Fixed in 6.24.02026-03-12
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automa…
- CVE-2026-6733LOWCVSS 3.7EG 3.7✓ Fixed in 8.5.02026-06-17
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When…
- CVE-2026-6734HIGHCVSS 7.5EG 7.5✓ Fixed in 8.2.02026-06-17
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first…
- CVE-2026-9675HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.02026-06-17
Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame valid…
- CVE-2026-9678MEDIUMCVSS 5.9EG 5.9✓ Fixed in 8.5.02026-06-17
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\ta…
- CVE-2026-9679MEDIUMCVSS 5.9EG 5.9✓ Fixed in 8.5.02026-06-17
Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and b…
- CVE-2026-9697HIGHCVSS 7.4EG 7.4✓ Fixed in 8.5.02026-06-17
Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user…
Check whether undici is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for undici CVEs against the assets you own.
Start Free Scan →