CVE-2026-9679

undici vulnerability CVE-2026-9679 affects the cookie parsing paths (parseSetCookie, parseCookie, getSetCookies). The cookie parser percent-decodes values (via qsUnescape), turning sequences like %0D%0A, %00, %3B, and %3D into literal bytes. RFC 6265 §5.4 does not require decoding and browsers do...

MiracleLinux 9 : nodejs:18 (AXSA:2023-6525:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6525:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 nodejs: integrity checks according to...

Node.js 18.x < 18.18.2 / 20.x < 20.8.1 Multiple Vulnerabilities (Friday October 13 2023 Security Releases).

The version of Node.js installed on the remote host is prior to 18.18.2, 20.8.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Friday October 13 2023 Security Releases advisory. - Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie...

CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...