Nodejs Undici vulnerabilities

CVE-2026-1525 [MEDIUM] CWE-444 CVE-2026-1525: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-var Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level AP

CVE-2026-1528 [HIGH] CWE-248 CVE-2026-1528: ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

CVE-2026-2229 [HIGH] CWE-248 CVE-2026-2229: ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper valida ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range ser

CVE-2026-1526 [HIGH] CWE-409 CVE-2026-1526: The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consump The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket serv

CVE-2026-1527 [MEDIUM] CWE-93 CVE-2026-1527: ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrad

CVE-2026-2581 [MEDIUM] CWE-770 CVE-2026-2581: This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Serv This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this

CVE-2026-22036 [MEDIUM] CWE-770 CVE-2026-22036: Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the dec Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

CVE-2025-47279 [LOW] CWE-401 CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in

CVE-2025-22150 [MEDIUM] CWE-330 CVE-2025-22150: Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7. Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multi

CVE-2024-38372 [LOW] CWE-201 CVE-2024-38372: Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process con Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

CVE-2024-30260 [LOW] CWE-285 CVE-2024-30260: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Pro Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVE-2024-30261 [LOW] CWE-284 CVE-2024-30261: Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVE-2024-24758 [LOW] CWE-200 CVE-2024-24758: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2024-24750 [MEDIUM] CWE-400 CVE-2024-24750: Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch( Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming

CVE-2023-45143 [LOW] CWE-200 CVE-2023-45143: Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici alrea Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles hea

CVE-2023-24807 [HIGH] CWE-20 CVE-2023-24807: Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers. Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` u

CVE-2023-23936 [MEDIUM] CWE-93 CVE-2023-23936: Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, t Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

CVE-2022-35948 [MEDIUM] CWE-74 CVE-2022-35948: undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerabl undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2

CVE-2022-35949 [MEDIUM] CWE-918 CVE-2022-35949: undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Serve undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origi

CVE-2022-31151 [LOW] CWE-601 CVE-2022-31151: Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensit Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection tar