Nodejs Undici

30 CVEs affecting Nodejs Undici. Latest disclosed: 2026-06-17. Critical: 0, High: 8.

Top CVEs affecting Nodejs Undici
CVESeverityScorePublishedSummary
CVE-2026-6734High7.52026-06-17Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the reque…
CVE-2026-9675High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious…
CVE-2026-12151High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number o…
CVE-2026-2229High7.52026-03-12ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permess…
CVE-2026-1528High7.52026-03-12ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends u…
CVE-2026-1526High7.52026-03-12The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSoc…
CVE-2023-24807High7.52023-02-16Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Deni…
CVE-2026-9697High7.42026-06-17Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection t…
CVE-2025-22150Medium6.82025-01-21Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for…
CVE-2026-1525Medium6.52026-03-12Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This…
CVE-2024-24750Medium6.52024-02-16Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it…
CVE-2023-23936Medium6.52023-02-16Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from…
CVE-2022-32210Medium6.52022-07-14`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that p…
CVE-2026-9679Medium5.92026-06-17Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into th…
CVE-2026-9678Medium5.92026-06-17Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified p…
CVE-2026-2581Medium5.92026-03-12This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptor…
CVE-2026-22036Medium5.92026-01-14Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize…
CVE-2022-35948Medium5.32022-08-15undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized inp…
CVE-2022-35949Medium5.32022-08-12undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user…
CVE-2022-31150Medium5.32022-07-19undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5…