Lucene search
K

50 matches found

OSV
OSV
added 2026/06/30 11:26 a.m.8 views

ROOT-APP-NPM-CVE-2026-1527 CVE-2026-1527 in @rootio/undici - Patched by Root

Root has patched CVE-2026-1527 in the @rootio/undici package for Root:npm. Multiple fixed versions available...

4.6CVSS5.9AI score0.00256EPSS
Exploits0
EUVD
EUVD
added 2026/06/19 2:19 p.m.19 views

EUVD-2026-37769

undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse...

3.7CVSS5.8AI score0.00228EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/17 11:20 p.m.13 views

CVE-2026-9697

A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier URI, it silently ignores Transport Layer Security TLS options, such as custom Certificate Authorities CAs. This allows a remote attacker to perform a Man-in-the-Middle MITM attack,...

7.4CVSS6.8AI score0.00459EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/17 6:21 p.m.7 views

Origin Validation Error

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Origin Validation Error in the Socks5ProxyAgent. An attacker can intercept or redirect sensitive data, including credentials and request payloads, to...

8.8CVSS6.4AI score0.00323EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 6:18 p.m.17 views

CVE-2026-9679

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS0.00257EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 5:16 p.m.11 views

UBUNTU-CVE-2026-12151

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS5.9AI score0.00641EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/17 4:56 p.m.5 views

CVE-2026-9679

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS5.5AI score0.00257EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/29 12:0 a.m.12 views

TencentOS Server 4: nodejs20 (TSSA-2026:0186)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0186 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

9.8CVSS7.7AI score0.0115EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.7 views

Node.js Module Undici 6.x < 6.24.0 / 7.x < 7.24.0 DoS

The nodejs module Undici detected on the host is version 6.x prior to 6.24.0 or version 7.x prior to 7.24.0. It is, therefore, affected by a denial of service vulnerability : - A flaw exists in the WebSocket client due to an integer overflow when processing frames with extremely large 64-bit leng...

7.5CVSS7.5AI score0.00488EPSS
Exploits0References2
OSV
OSV
added 2026/04/12 6:7 a.m.12 views

RLSA-2026:7080 Important: nodejs22 security update

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

7.5CVSS5.8AI score0.26356EPSS
Exploits2References10
SUSE CVE
SUSE CVE
added 2026/04/11 9:27 a.m.6 views

SUSE CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0...

7.5CVSS7.1AI score0.00488EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2026/04/11 9:27 a.m.3 views

SUSE CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References8
Rockylinux
Rockylinux
added 2026/04/10 12:4 a.m.5 views

nodejs:24 security update

An update is available for nodejs, module.nodejs-packaging, nodejs-packaging, module.nodejs, nodejs-nodemon, module.nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

9.8CVSS6.6AI score0.26356EPSS
Exploits1
OSV
OSV
added 2026/04/03 12:43 p.m.7 views

CLSA-2026-1775220180 nodejs: Fix of CVE-2023-45143

CVE-2023-45143: fix cookie and host header leak on cross-origin redirect in undici...

3.9CVSS6.1AI score0.01223EPSS
Exploits0References1
OSV
OSV
added 2026/03/13 8:41 p.m.8 views

GHSA-4992-7RV2-5PVQ Undici has CRLF Injection in undici via `upgrade` option

Impact When an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: 1. Inject arbitrary HTTP headers 2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS5.9AI score0.00256EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/13 8:7 p.m.3 views

EUVD-2026-11685

Undici has an HTTP Request/Response Smuggling issue...

6.5CVSS5.8AI score0.00493EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/03/13 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-1525

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This...

9.8CVSS6.9AI score0.00493EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/12 10:23 p.m.5 views

CVE-2026-1528

A flaw was found in undici. A remote attacker could exploit this vulnerability by sending a specially crafted WebSocket frame with an extremely large 64-bit length. This causes undici's ByteParser to overflow its internal calculations, leading to an invalid state and a fatal TypeError. The primar...

7.5CVSS5.7AI score0.00488EPSS
Exploits0References6
OSV
OSV
added 2026/03/12 9:16 p.m.5 views

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/12 9:16 p.m.5 views

DEBIAN-CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS7.5AI score0.00256EPSS
Exploits0References1
Rows per page
Query Builder