undici — CVE history (npm)

undici

30 CVEs affect the undici npm package (highest CVSS 7.5). Latest disclosed: 2026-06-17. Full CVE history sourced from NVD.

Summary

Package
undici (npm)
Total CVEs
30
Actively exploited (CISA KEV)
0
Highest CVSS
7.5
Latest disclosed
2026-06-17

Recent CVEs (top 20)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9697High7.42026-06-17Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://).
CVE-2026-9679Medium5.92026-06-17Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents.
CVE-2026-9678Medium5.92026-06-17Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\ta…
CVE-2026-6734High7.52026-06-17Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin.
CVE-2026-6733Low3.72026-06-17Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets.
CVE-2026-11525Low3.72026-06-17Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265.
CVE-2026-9675High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages.
CVE-2026-12151High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments.
CVE-2026-2581Medium5.92026-03-12This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).
CVE-2026-2229High7.52026-03-12ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension.
CVE-2026-1528High7.52026-03-12ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length.
CVE-2026-1527Medium4.62026-03-12ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle…
CVE-2026-1526High7.52026-03-12The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression.
CVE-2026-1525Medium6.52026-03-12Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length).
CVE-2026-22036Medium5.92026-01-14Undici is an HTTP/1.1 client for Node.js.
CVE-2025-47279Low3.12025-05-15Undici is an HTTP/1.1 client for Node.js.
CVE-2025-22150Medium6.82025-01-21Undici is an HTTP/1.1 client.
CVE-2024-38372Low2.02024-07-08Undici is an HTTP/1.1 client, written from scratch for Node.js.
CVE-2024-30260Low3.92024-04-04Undici is an HTTP/1.1 client, written from scratch for Node.js.
CVE-2024-30261Low2.62024-04-04Undici is an HTTP/1.1 client, written from scratch for Node.js.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6734High7.52026-06-17Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin.
CVE-2026-9675High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages.
CVE-2026-12151High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments.
CVE-2026-2229High7.52026-03-12ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension.
CVE-2026-1528High7.52026-03-12ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length.
CVE-2026-1526High7.52026-03-12The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression.
CVE-2023-24807High7.52023-02-16Undici is an HTTP/1.1 client for Node.js.
CVE-2026-9697High7.42026-06-17Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://).
CVE-2025-22150Medium6.82025-01-21Undici is an HTTP/1.1 client.
CVE-2026-1525Medium6.52026-03-12Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length).