847 matches found
ROOT-APP-NPM-CVE-2026-1527 CVE-2026-1527 in @rootio/undici - Patched by Root
Root has patched CVE-2026-1527 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-1525 CVE-2026-1525 in @rootio/undici - Patched by Root
Root has patched CVE-2026-1525 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-1526 CVE-2026-1526 in @rootio/undici - Patched by Root
Root has patched CVE-2026-1526 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-2229 CVE-2026-2229 in @rootio/undici - Patched by Root
Root has patched CVE-2026-2229 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2025-22150 CVE-2025-22150 in @rootio/undici - Patched by Root
Root has patched CVE-2025-22150 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-22036 CVE-2026-22036 in @rootio/undici - Patched by Root
Root has patched CVE-2026-22036 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-12151 CVE-2026-12151 in @rootio/undici - Patched by Root
Root has patched CVE-2026-12151 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
Security Bulletin: Vulnerability in undici bundled with IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage
Summary IBM Fusion, IBM Fusion HCI, and IBM Fusion Content-Aware Storage include the undici library, which is affected by a denial of service vulnerability. CVE-2026-22036 Vulnerability Details CVEID:CVE-2026-22036 DESCRIPTION: Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0,...
SUSE CVE-2026-6734
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This caus...
SUSE CVE-2026-9697
Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servernam...
nodejs:24 security, bug fix, and enhancement update
An update is available for nodejs-packaging, module.nodejs-nodemon, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...
undici: Undici: Information disclosure due to improper cache-control header parsing
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket...
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier URI, it silently ignores Transport Layer Security TLS options, such as custom Certificate Authorities CAs. This allows a remote attacker to perform a Man-in-the-Middle MITM attack,...
undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from...
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket...
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...
ROOT-APP-NPM-CVE-2026-9697 CVE-2026-9697 in @rootio/undici - Patched by Root
Root has patched CVE-2026-9697 in the @rootio/undici package for Root:npm. Multiple fixed versions available...