Nodejs Undici
30 CVEs affecting Nodejs Undici. Latest disclosed: 2026-06-17. Critical: 0, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-6734 | High | 7.5 | 2026-06-17 | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the reque… |
CVE-2026-9675 | High | 7.5 | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious… |
CVE-2026-12151 | High | 7.5 | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number o… |
CVE-2026-2229 | High | 7.5 | 2026-03-12 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permess… |
CVE-2026-1528 | High | 7.5 | 2026-03-12 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends u… |
CVE-2026-1526 | High | 7.5 | 2026-03-12 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSoc… |
CVE-2023-24807 | High | 7.5 | 2023-02-16 | Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Deni… |
CVE-2026-9697 | High | 7.4 | 2026-06-17 | Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection t… |
CVE-2025-22150 | Medium | 6.8 | 2025-01-21 | Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for… |
CVE-2026-1525 | Medium | 6.5 | 2026-03-12 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This… |
CVE-2024-24750 | Medium | 6.5 | 2024-02-16 | Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it… |
CVE-2023-23936 | Medium | 6.5 | 2023-02-16 | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from… |
CVE-2022-32210 | Medium | 6.5 | 2022-07-14 | `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that p… |
CVE-2026-9679 | Medium | 5.9 | 2026-06-17 | Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into th… |
CVE-2026-9678 | Medium | 5.9 | 2026-06-17 | Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified p… |
CVE-2026-2581 | Medium | 5.9 | 2026-03-12 | This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptor… |
CVE-2026-22036 | Medium | 5.9 | 2026-01-14 | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize… |
CVE-2022-35948 | Medium | 5.3 | 2022-08-15 | undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized inp… |
CVE-2022-35949 | Medium | 5.3 | 2022-08-12 | undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user… |
CVE-2022-31150 | Medium | 5.3 | 2022-07-19 | undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5… |