Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
NodejsUndici*

15 matches found

CVE
CVEadded 2025/01/21 6:15 p.m.497 views

CVE-2025-22150

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If...

6.8CVSS6.4AI score0.00038EPSS
CVE
CVEadded 2023/10/12 5:15 p.m.479 views

CVE-2023-45143

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.header...

3.9CVSS5.5AI score0.00078EPSS
CVE
CVEadded 2023/02/16 6:15 p.m.276 views

CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to nor...

7.5CVSS7.9AI score0.00248EPSS
CVE
CVEadded 2023/02/16 6:15 p.m.264 views

CVE-2023-23936

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to u...

6.5CVSS6.9AI score0.0048EPSS
CVE
CVEadded 2022/07/19 9:15 p.m.163 views

CVE-2022-31150

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issu...

6.5CVSS7AI score0.00252EPSS
CVE
CVEadded 2022/08/12 11:15 p.m.161 views

CVE-2022-35949

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = requ...

9.8CVSS7AI score0.00362EPSS
CVE
CVEadded 2022/08/15 11:21 a.m.150 views

CVE-2022-35948

undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentT...

5.3CVSS6.4AI score0.00256EPSS
CVE
CVEadded 2022/07/21 4:15 a.m.126 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a...

6.5CVSS5.1AI score0.0018EPSS
CVE
CVEadded 2024/02/16 10:15 p.m.91 views

CVE-2024-24758

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarou...

4.5CVSS3.9AI score0.00105EPSS
CVE
CVEadded 2024/04/04 3:15 p.m.91 views

CVE-2024-30261

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

3.5CVSS4.2AI score0.00175EPSS
CVE
CVEadded 2025/05/15 6:15 p.m.90 views

CVE-2025-47279

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then...

3.1CVSS3.8AI score0.00037EPSS
CVE
CVEadded 2024/04/04 4:15 p.m.80 views

CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

4.3CVSS4.8AI score0.00122EPSS
CVE
CVEadded 2022/07/14 3:15 p.m.77 views

CVE-2022-32210

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain...

6.5CVSS6.3AI score0.00107EPSS
CVE
CVEadded 2024/02/16 10:15 p.m.52 views

CVE-2024-24750

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgra...

6.5CVSS6.2AI score0.00356EPSS
CVE
CVEadded 2024/07/08 9:15 p.m.50 views

CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process. This has been patched in v6.19.2.

2CVSS3.4AI score0.0025EPSS