17 matches found
CVE-2023-45143
CVE-2023-45143 affects Undici, an HTTP/1.1 client for Node.js. Prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but did not clear Cookie headers, which are forbidden in browser environments. This mismatch between Undici’s header handling and the browser/spec...
CVE-2023-24807
The CVE-2023-24807 issue is in Undici’s header normalization (headerValueNormalize) used by the Headers.fetch API, allowing a Regular Expression Denial of Service when untrusted header values are processed. Affected range is before Undici v5.19.1; the vulnerability is fixed in v5.19.1. Upgrading ...
CVE-2022-31150
CVE-2022-31150 (undici): An HTTP/1.1 client for Node.js is vulnerable to CRLF injection in request headers in undici versions
CVE-2022-35948
CVE-2022-35948 affects the undici HTTP/1.1 client for Node.js. When user input is unsanitized in the Content-Type header, CRLF Injection can cause multiple requests in a single call (e.g., two GETs). The issue is fixed in undici v5.8.1; workaround: sanitize input before sending as a Content-Type ...
CVE-2022-31151
CVE-2022-31151 affects the Node.js undici HTTP client. The issue is that during cross-origin redirects, authorization headers are cleared but cookie headers are not, potentially leaking cookies to a third party if an attacker controls the redirect target. The problem was patched in undici v5.7.1,...
CVE-2024-30260
Undici (Node.js HTTP/1.1 client) had a header handling flaw: Authorization and Proxy-Authorization were cleared for fetch() but not for undici.request(), exposing potential credential leakage. The issue is addressed in patched releases 5.28.4 and 6.11.1. Affected users should upgrade to these ver...
CVE-2024-30261
CVE-2024-30261 affects Undici (the HTTP/1.1 client used by Node.js). The issue lets an attacker modify the integrity option passed to fetch(), causing fetch() to accept tampered requests. It has been patched in Undici versions 5.28.4 and 6.11.1. Affected Node.js ecosystems (via Undici) may need u...
CVE-2024-24758
Undici (Node.js HTTP/1.1 client) has a vulnerability where Proxy-Authorization headers were not cleared during cross-origin redirects. It is fixed in versions 5.28.3 and 6.6.1. Affected versions include older releases prior to these patches; upgrading to 5.28.3 or 6.6.1 or newer is advised. The i...
CVE-2026-1525
CVE-2026-1525 is an Undici HTTP client issue where passing duplicate Content-Length headers (especially with mixed case variants like Content-Length and content-length) can produce malformed HTTP/1.1 requests and enable HTTP Request Smuggling in misconfigured environments. Public advisories indic...
CVE-2026-1526
undici WebSocket PerMessageDeflate.decompress() can accumulate decompressed data without a size limit, enabling a decompression bomb that may exhaust Node.js memory and crash or render the process unresponsive. The description specifies a denial-of-service via memory exhaustion. No remediation or...
CVE-2026-11525
The issue affects undici’s cookie parsing in Set-Cookie headers. The root cause is a permissive substring match for the SameSite attribute during parsing, accepting any value containing Strict, Lax, or None instead of enforcing a case-insensitive exact match per RFC 6265. This can cause downstrea...
CVE-2026-2229
The CVE affects the undici WebSocket client. It arises from improper validation of the server_max_window_bits parameter in the permessage-deflate extension: isValidClientWindowBits() only checks ASCII digits and not the 8–15 range, and createInflateRaw() is not wrapped in a try-catch. A malicious...
CVE-2026-1528
CVE-2026-1528 : A flaw in undici’s WebSocket handling allows a server to reply with a 64‑bit length frame that specifies an extremely large length. The ByteParser overflows internal math, enters an invalid state, and throws a fatal TypeError that terminates the process. Affected: undici (Node.js ...
CVE-2026-6733
Undici’s HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes; when the client issues the next request on that socket, the injected r...
CVE-2026-22036
Undici (HTTP/1.1 client for Node.js) contains a vulnerability in its decompression chain handling. Before versions 7.18.0 and 6.23.0, the chain can have an unbounded number of links, and the default maxHeaderSize allows a malicious server to insert thousands of compression steps, causing high CPU...
CVE-2026-9679
undici vulnerability CVE-2026-9679 affects the cookie parsing paths (parseSetCookie, parseCookie, getSetCookies). The cookie parser percent-decodes values (via qsUnescape), turning sequences like %0D%0A, %00, %3B, and %3D into literal bytes. RFC 6265 §5.4 does not require decoding and browsers do...
CVE-2026-1527
Undici (Node.js HTTP client) is vulnerable to a CRLF injection via the upgrade option in client.request() when user-controlled input is passed to the upgrade value. The root cause is that the upgrade value is written directly to the socket without validating header characters, allowing an attacke...