undici — CVE history (npm)
undici
30 CVEs affect the undici npm package (highest CVSS 7.5). Latest disclosed: 2026-06-17. Full CVE history sourced from NVD.
Summary
- Package
undici(npm)- Total CVEs
30- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-06-17
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9697 | High | 7.4 | — | 2026-06-17 | Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). |
CVE-2026-9679 | Medium | 5.9 | — | 2026-06-17 | Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. |
CVE-2026-9678 | Medium | 5.9 | — | 2026-06-17 | Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\ta… |
CVE-2026-6734 | High | 7.5 | — | 2026-06-17 | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. |
CVE-2026-6733 | Low | 3.7 | — | 2026-06-17 | Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. |
CVE-2026-11525 | Low | 3.7 | — | 2026-06-17 | Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. |
CVE-2026-9675 | High | 7.5 | — | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. |
CVE-2026-12151 | High | 7.5 | — | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. |
CVE-2026-2581 | Medium | 5.9 | — | 2026-03-12 | This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). |
CVE-2026-2229 | High | 7.5 | — | 2026-03-12 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. |
CVE-2026-1528 | High | 7.5 | — | 2026-03-12 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. |
CVE-2026-1527 | Medium | 4.6 | — | 2026-03-12 | ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle… |
CVE-2026-1526 | High | 7.5 | — | 2026-03-12 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. |
CVE-2026-1525 | Medium | 6.5 | — | 2026-03-12 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). |
CVE-2026-22036 | Medium | 5.9 | — | 2026-01-14 | Undici is an HTTP/1.1 client for Node.js. |
CVE-2025-47279 | Low | 3.1 | — | 2025-05-15 | Undici is an HTTP/1.1 client for Node.js. |
CVE-2025-22150 | Medium | 6.8 | — | 2025-01-21 | Undici is an HTTP/1.1 client. |
CVE-2024-38372 | Low | 2.0 | — | 2024-07-08 | Undici is an HTTP/1.1 client, written from scratch for Node.js. |
CVE-2024-30260 | Low | 3.9 | — | 2024-04-04 | Undici is an HTTP/1.1 client, written from scratch for Node.js. |
CVE-2024-30261 | Low | 2.6 | — | 2024-04-04 | Undici is an HTTP/1.1 client, written from scratch for Node.js. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6734 | High | 7.5 | — | 2026-06-17 | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. |
CVE-2026-9675 | High | 7.5 | — | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. |
CVE-2026-12151 | High | 7.5 | — | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. |
CVE-2026-2229 | High | 7.5 | — | 2026-03-12 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. |
CVE-2026-1528 | High | 7.5 | — | 2026-03-12 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. |
CVE-2026-1526 | High | 7.5 | — | 2026-03-12 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. |
CVE-2023-24807 | High | 7.5 | — | 2023-02-16 | Undici is an HTTP/1.1 client for Node.js. |
CVE-2026-9697 | High | 7.4 | — | 2026-06-17 | Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). |
CVE-2025-22150 | Medium | 6.8 | — | 2025-01-21 | Undici is an HTTP/1.1 client. |
CVE-2026-1525 | Medium | 6.5 | — | 2026-03-12 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). |