ROOT-APP-NPM-CVE-2026-1525 CVE-2026-1525 in @rootio/undici - Patched by Root

Root has patched CVE-2026-1525 in the @rootio/undici package for Root:npm. Multiple fixed versions available...

RHEL 9 : nodejs:22 (RHSA-2026:7983)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7983 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs22 security update

An update is available for nodejs22. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a platform built on Chrome's JavaScript runtime \ for easily...

Important: Red Hat Security Advisory: nodejs:24 security update

An update for the nodejs:24 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1525)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1525 advisory. Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 request...

Important: nodejs24

Issue Overview: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted:...

CVE-2026-1525 vulnerabilities

Vulnerabilities for packages: code-server, jitsucom-jitsu, renovate...

CVE-2026-1525 vulnerabilities

Vulnerabilities for packages: librechat, renovate, pelias-api, kibana, jitsucom-jitsu, code-server...

0utmailauth (=1.0.0), 0xsodium (>=0.2.0 <=0.14.0) +13743 more potentially affected by CVE-2026-1525 via undici (>=0.3.3 <=6.23.0)

undici NPM version =0.3.3, =0.2.0, =1.0.0, =0.2.0, =0.1.0, =0.0.1, =1.0.21, =1.0.1, =2.1.0, =2.1.0, =2.1.1 and more Source cves: CVE-2026-1525 Source advisory: OSV:GHSA-2MJP-6Q6P-2QXM...

@01.software/cli (>=0.1.1 <=0.2.0-dev.260310.cf511cb), @01.software/sdk (>=0.0.1-251008.90016 <=0.3.0) +384 more potentially affected by CVE-2026-1525 via undici (>=7.0.0 <=7.22.0)

undici NPM version =7.0.0, =0.1.1, =0.0.1-251008.90016, =0.0.6, =0.0.2, =0.0.33, =0.0.1, =1.0.0, =21.0.0, =21.0.0, =0.5.0, =1.0.1, =12.6.9, =13.0.0-alpha.4 and more Source cves: CVE-2026-1525 Source advisory: OSV:GHSA-2MJP-6Q6P-2QXM...

CVE-2026-1525

creationtimestamp| type| source ---|---|--- 2026-03-12 20:40:20+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mgvb3e3qw22f...

0utmailauth (=1.0.0), @1023-ventures/ursa-core (>=0.5.2 <=0.5.3) +1991 more potentially affected by CVE-2026-1525 via undici (>=6.0.1 <=6.23.0)

undici NPM version =6.0.1, =0.5.2, =0.5.2, =1.3.7, =1.3.7, =1.3.7, =1.0.0, =1.0.0, =0.1.5-alpha.0, =1.0.9-beta.0, =0.5.21, =0.5.21, =0.1.0, =0.1.5 and more Source cves: CVE-2026-1525 Source advisory: SNYK:JS-UNDICI-15518061...

@01.software/cli (>=0.1.1 <=0.2.0-dev.260310.cf511cb), @01.software/sdk (>=0.0.1-251008.90016 <=0.3.0) +385 more potentially affected by CVE-2026-1525 via undici (>=7.0.0-alpha.3 <=7.22.0)

undici NPM version =7.0.0-alpha.3, =0.1.1, =0.0.1-251008.90016, =0.0.6, =0.0.2, =0.0.33, =0.0.1, =1.0.0, =21.0.0, =21.0.0, =0.5.0, =1.0.1, =12.6.9, =13.0.0-alpha.4 and more Source cves: CVE-2026-1525 Source advisory: SNYK:JS-UNDICI-15518061...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-1525 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

CVE-2026-1525 undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: Applications...

CVE-2025-1525

The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Linux Distros Unpatched Vulnerability : CVE-2024-1525

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all version...

CVE-2024-1525

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their...

CVE-2025-1525

creationtimestamp| type| source ---|---|--- 2025-04-17 06:48:44+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lmyj7hgssu2b 2025-04-17 06:57:14+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/12194 2025-04-17 10:28:16+00:00| seen|...

CVE-2025-1525

The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...