cbcvebase.

Nodejs Undici vulnerabilities

30 known vulnerabilities affecting nodejs/undici.

Total CVEs
30
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH9MEDIUM13LOW6

Vulnerabilities

Page 2 of 2
CVE-2023-23936P4MEDIUMCVSS 5.4≥ 2.0.0, < 5.19.1v>=2.0.0, < 5.19.12023-02-16
CVE-2023-23936 [MEDIUM] CWE-93 CVE-2023-23936: Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, t Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
ghsanvdosv
CVE-2026-1527P4MEDIUMCVSS 4.6fixed in 6.24.0≥ 7.0.0, < 7.24.02026-03-12
CVE-2026-1527 [MEDIUM] CWE-93 CVE-2026-1527: ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrad
nvd
CVE-2024-24758P4MEDIUMCVSS 4.5fixed in 5.28.3≥ 6.0.0, < 6.6.1+1 more2024-02-16
CVE-2024-24758 [MEDIUM] CWE-200 CVE-2024-24758: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ghsanvdosv
CVE-2024-30260P4MEDIUMCVSS 4.3fixed in 5.28.4≥ 6.0.0, < 6.11.1+1 more2024-04-04
CVE-2024-30260 [MEDIUM] CWE-285 CVE-2024-30260: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Pro Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
ghsanvdosv
CVE-2026-6733P4LOWCVSS 3.7fixed in 6.27.0≥ 7.0.0, < 7.28.0+1 more2026-06-17
CVE-2026-6733 [LOW] CWE-367 CVE-2026-6733: Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sock Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, cau
nvd
CVE-2023-45143P4LOWCVSS 3.5fixed in 5.26.22023-10-12
CVE-2023-45143 [LOW] CWE-200 CVE-2023-45143: Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici alrea Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles hea
ghsanvdosv
CVE-2024-30261P4LOWCVSS 3.5fixed in 5.28.4≥ 6.0.0, < 6.11.1+1 more2024-04-04
CVE-2024-30261 [LOW] CWE-284 CVE-2024-30261: Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
ghsanvdosv
CVE-2026-11525P4LOWCVSS 3.7fixed in 6.27.0≥ 7.0.0, < 7.28.0+1 more2026-06-17
CVE-2026-11525 [LOW] CWE-183 CVE-2026-11525: Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contain Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permi
nvd
CVE-2025-47279P4LOWCVSS 3.1fixed in 5.29.0v>= 6.0.0, < 6.21.2+1 more2025-05-15
CVE-2025-47279 [LOW] CWE-401 CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in
ghsanvdosv
CVE-2024-38372P4LOWCVSS 2.0v>= 6.14.0, < 6.19.22024-07-08
CVE-2024-38372 [LOW] CWE-201 CVE-2024-38372: Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process con Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
ghsanvdosv
Nodejs Undici vulnerabilities | cvebase