Nodejs Undici vulnerabilities
30 known vulnerabilities affecting nodejs/undici.
Total CVEs
30
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH9MEDIUM13LOW6
Vulnerabilities
Page 1 of 2
CVE-2026-1525P3CRITICALCVSS 9.8fixed in 6.24.0≥ 7.0.0, < 7.24.02026-03-12
CVE-2026-1525 [CRITICAL] CWE-444 CVE-2026-1525: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-var
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
* Applications using undici.request(), undici.Client, or similar low-level
nvd
CVE-2026-6734P3HIGHCVSS 8.8≥ 7.23.0, < 7.28.0≥ 8.0.0, < 8.2.02026-06-17
CVE-2026-6734 [HIGH] CWE-346 CVE-2026-6734: Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins
Impact:
When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.
This causes cross-origin request routing: credentials and request
nvd
CVE-2022-35949P3CRITICALCVSS 9.8≤ 5.8.12022-08-12
CVE-2022-35949 [CRITICAL] CWE-918 CVE-2022-35949: undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Serve
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({ori
ghsanvdosv
CVE-2026-9697P3HIGHCVSS 7.4≥ 7.23.0, < 7.28.0≥ 8.0.0, < 8.5.02026-06-17
CVE-2026-9697 [HIGH] CWE-295 CVE-2026-9697: Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy
Impact:
undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.
Applications that pin to an internal or cor
nvd
CVE-2026-2229P3HIGHCVSS 7.5fixed in 6.24.0≥ 7.0.0, < 7.24.02026-03-12
CVE-2026-2229 [HIGH] CWE-248 CVE-2026-2229: ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper valida
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range ser
nvd
CVE-2026-1526P3HIGHCVSS 7.5fixed in 6.24.0≥ 7.0.0, < 7.24.02026-03-12
CVE-2026-1526 [HIGH] CWE-409 CVE-2026-1526: The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consump
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket serv
nvd
CVE-2026-9675P3HIGHCVSS 7.5≥ 8.0.0, < 8.5.02026-06-17
CVE-2026-9675 [HIGH] CWE-400 CVE-2026-9675: Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumul
Impact:
The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The resul
nvd
CVE-2026-12151P3HIGHCVSS 7.5≥ 6.17.0, < 6.27.0≥ 7.0.0, < 7.28.0+1 more2026-06-17
CVE-2026-12151 [HIGH] CWE-400 CVE-2026-12151: Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragment
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth
nvd
CVE-2026-22036P3HIGHCVSS 7.5fixed in 6.23.0≥ 7.0.0, < 7.18.2+1 more2026-01-14
CVE-2026-22036 [HIGH] CWE-770 CVE-2026-22036: Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the dec
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
ghsanvdosv
CVE-2026-1528P3HIGHCVSS 7.5fixed in 6.24.0≥ 7.0.0, < 7.24.02026-03-12
CVE-2026-1528 [HIGH] CWE-248 CVE-2026-1528: ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
nvd
CVE-2023-24807P3HIGHCVSS 7.5fixed in 5.19.12023-02-16
CVE-2023-24807 [HIGH] CWE-20 CVE-2023-24807: Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` u
ghsanvdosv
CVE-2025-22150P3MEDIUMCVSS 6.8v>= 4.5.0, < 5.28.5v>= 6.0.0, < 6.21.1+1 more2025-01-21
CVE-2025-22150 [MEDIUM] CWE-330 CVE-2025-22150: Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multi
ghsanvdosv
CVE-2026-9678P3MEDIUMCVSS 5.9≥ 7.0.0, < 7.28.0≥ 8.0.0, < 8.5.02026-06-17
CVE-2026-9678 [MEDIUM] CWE-524 CVE-2026-9678: Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstr
Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authoriza
nvd
CVE-2022-31150P4MEDIUMCVSS 6.5fixed in 5.8.0fixed in v5.7.1, >= v5.8.02022-07-19
CVE-2022-31150 [MEDIUM] CWE-93 CVE-2022-31150: undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequen
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
ghsanvdosv
CVE-2022-32210P4MEDIUMCVSS 6.5≥ 4.8.2, < 5.5.12022-07-14
CVE-2022-32210 [MEDIUM] CWE-295 CVE-2022-32210: `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request &
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
ghsanvdosv
CVE-2026-9679P4MEDIUMCVSS 5.9fixed in 6.27.0≥ 7.0.0, < 7.28.0+1 more2026-06-17
CVE-2026-9679 [MEDIUM] CWE-93 CVE-2026-9679: Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turni
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a
nvd
CVE-2026-2581P4MEDIUMCVSS 5.9≥ 7.17.0, < 7.24.02026-03-12
CVE-2026-2581 [MEDIUM] CWE-770 CVE-2026-2581: This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Serv
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).
In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this
nvd
CVE-2022-31151P4MEDIUMCVSS 6.5fixed in 5.7.12022-07-21
CVE-2022-31151 [MEDIUM] CWE-601 CVE-2022-31151: Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensit
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection
ghsanvdosv
CVE-2024-24750P4MEDIUMCVSS 6.5≥ 6.0.0, < 6.6.1v>= 6.0.0, < 6.6.12024-02-16
CVE-2024-24750 [MEDIUM] CWE-400 CVE-2024-24750: Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming
ghsanvdosv
CVE-2022-35948P4MEDIUMCVSS 5.3fixed in 5.8.2v=< 5.8.02022-08-15
CVE-2022-35948 [MEDIUM] CWE-74 CVE-2022-35948: undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerabl
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2
ghsanvdosv
1 / 2Next →