VYPR

Undici

by Undici

npm: undici

Source repositories

CVEs (12)

  • CVE-2026-9697impJun 17, 2026
    risk 0.48cvss 7.4epss 0.00

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-12151impJun 17, 2026
    risk 0.42cvss 7.5epss 0.01

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-9678modJun 17, 2026
    risk 0.38cvss 5.9epss 0.00

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    risk 0.31cvss 5.9epss 0.00

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-11525lowJun 17, 2026
    risk 0.17cvss 3.7epss 0.00

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    risk 0.17cvss 3.7epss 0.00

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-2229Mar 12, 2026
    risk 0.00cvss epss 0.01

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for…

  • CVE-2026-1528Mar 12, 2026
    risk 0.00cvss epss 0.00

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version…

  • CVE-2026-1527Mar 12, 2026
    risk 0.00cvss epss 0.00

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis,…

  • CVE-2026-2581Mar 12, 2026
    risk 0.00cvss epss 0.01

    This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream…

  • CVE-2026-1526Mar 12, 2026
    risk 0.00cvss epss 0.01

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without…

  • CVE-2026-1525Mar 12, 2026
    risk 0.00cvss epss 0.00

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is…

VYPR — Vulnerability Intelligence