Debian Node-Undici vulnerabilities

CVE-2026-1526 [HIGH] CVE-2026-1526: node-undici - The undici WebSocket client is vulnerable to a denial-of-service attack via unbo... The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send

CVE-2026-2229 [HIGH] CVE-2026-2229: node-undici - ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack du... ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_win

CVE-2026-1528 [HIGH] CVE-2026-1528: node-undici - ImpactA server can reply with a WebSocket frame using the 64-bit length form and... ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later. Scope: local bookwor

CVE-2026-22036 [MEDIUM] CVE-2026-22036: node-undici - Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number... Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. Scope: local bookworm: open f

CVE-2026-1527 [MEDIUM] CVE-2026-1527: node-undici - ImpactWhen an application passes user-controlled input to the upgrade option of ... ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value dir

CVE-2026-1525 [MEDIUM] CVE-2026-1525: node-undici - Undici allows duplicate HTTP Content-Length headers when they are provided in an... Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with heade

CVE-2026-2581 [MEDIUM] CVE-2026-2581: node-undici - This is an uncontrolled resource consumption vulnerability (CWE-400) that can le... This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/

CVE-2025-22150 [MEDIUM] CVE-2025-22150: node-undici - Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.... Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart reques

CVE-2025-23167 [MEDIUM] CVE-2025-23167: llhttp - A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers... A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header terminat

CVE-2025-47279 [LOW] CVE-2025-47279: node-undici - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and ... Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5

CVE-2024-38372 [LOW] CVE-2024-38372: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on net... Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. Scope: local bookworm: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-30260 [LOW] CVE-2024-30260: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared A... Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Scope: local bookworm: open forky: resolved (fixed in 5.28.4+dfsg1+~cs23.12.11-1) sid: resolved (fixed in 5.28.4+d

CVE-2024-24750 [MEDIUM] CVE-2024-24750: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected vers... Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body. Scop

CVE-2024-24758 [LOW] CVE-2024-24758: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already c... Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Scope: local bookworm: open forky: r

CVE-2024-30261 [LOW] CVE-2024-30261: node-undici - Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can ... Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Scope: local bookworm: open forky: resolved (fixed in 5.28.4+dfsg1+~cs23.12.11-1) sid: reso

CVE-2023-24807 [HIGH] CVE-2023-24807: node-undici - Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.... Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility fun

CVE-2023-23936 [MEDIUM] CVE-2023-23936: node-undici - Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior ... Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. Scope: local bookworm: resolved (fixed in 5.15.0+dfs

CVE-2023-45143 [LOW] CVE-2023-45143: node-undici - Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version ... Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more l

CVE-2022-35948 [MEDIUM] CVE-2022-35948: node-undici - undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]`... undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1'

CVE-2022-31150 [MEDIUM] CVE-2022-31150: node-undici - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible t... undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. Scope: local bookworm: resolved (fixed in 5.8.0+dfsg1+~cs1