VYPR

Undici

by Node.js

npm: undici

Source repositories

CVEs (17)

  • CVE-2025-22150MedJan 21, 2025
    risk 0.37cvss 6.8epss 0.01

    Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its…

  • CVE-2025-47279LowMay 15, 2025
    risk 0.13cvss 3.1epss 0.00

    Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the…

  • CVE-2024-38372LowJul 8, 2024
    risk 0.06cvss 2.0epss 0.00

    Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

  • CVE-2026-9675Jun 17, 2026
    risk 0.00cvss epss 0.00

    Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the…

  • CVE-2026-22036Jan 14, 2026
    risk 0.00cvss epss 0.00

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory…

  • CVE-2024-30260Apr 4, 2024
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

  • CVE-2024-30261Apr 4, 2024
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

  • CVE-2024-24750Feb 16, 2024
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade.…

  • CVE-2024-24758Feb 16, 2024
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There…

  • CVE-2023-45143Oct 12, 2023
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be…

  • CVE-2023-23936Feb 16, 2023
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host`…

  • CVE-2023-24807Feb 16, 2023
    risk 0.00cvss epss 0.01

    Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient…

  • CVE-2022-35948Aug 13, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from…

  • CVE-2022-35949Aug 12, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or…

  • CVE-2022-31151Jul 20, 2022
    risk 0.00cvss epss 0.01

    Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a…

  • CVE-2022-31150Jul 19, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a…

  • CVE-2022-32210Jul 14, 2022
    risk 0.00cvss epss 0.00

    `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are…