11 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-9678
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified...
Linux Distros Unpatched Vulnerability : CVE-2026-6734
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the...
EUVD-2026-37766
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass...
Origin Validation Error
Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Origin Validation Error in the Socks5ProxyAgent. An attacker can intercept or redirect sensitive data, including credentials and request payloads, to unintended origins b...
DEBIAN-CVE-2026-6733
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it...
CVE-2026-6734
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This caus...
CVE-2026-9675 undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causin...
EUVD-2026-11703
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client...
CVE-2026-1528
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0...
SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:0457-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0457-1 advisory. - Update to 20.20.0: - CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 - CVE-2025-59465: Add TLSSocket default error handler...
SUSE-SU-2026:0435-1 Security update for nodejs20
This update for nodejs20 fixes the following issues: - Update to 20.20.0: - CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 - CVE-2025-59465: Add TLSSocket default error handler bsc1256573 - CVE-2025-55132: Disable futimes when permission model is enabled bsc1256571 - CVE-2025-55130: Require...