Undici
Products
1- Undici12 CVEsnpm
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-9697 | imp | 0.48 | 7.4 | 0.00 | Jun 17, 2026 | undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy | ||
| CVE-2026-12151 | imp | 0.42 | 7.5 | 0.00 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | ||
| CVE-2026-9678 | mod | 0.38 | 5.9 | 0.00 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | ||
| CVE-2026-9679 | mod | 0.31 | 5.9 | 0.00 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | ||
| CVE-2026-11525 | low | 0.17 | 3.7 | 0.00 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | ||
| CVE-2026-6733 | low | 0.17 | 3.7 | 0.00 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | ||
| CVE-2026-2229 | 0.00 | — | 0.00 | Mar 12, 2026 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for… | |||
| CVE-2026-1528 | 0.00 | — | 0.00 | Mar 12, 2026 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version… | |||
| CVE-2026-1527 | 0.00 | — | 0.00 | Mar 12, 2026 | ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis,… | |||
| CVE-2026-2581 | 0.00 | — | 0.01 | Mar 12, 2026 | This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream… | |||
| CVE-2026-1526 | 0.00 | — | 0.01 | Mar 12, 2026 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without… | |||
| CVE-2026-1525 | 0.00 | — | 0.00 | Mar 12, 2026 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is… |
- risk 0.48cvss 7.4epss 0.00
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
- risk 0.42cvss 7.5epss 0.00
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- risk 0.38cvss 5.9epss 0.00
undici: Undici: Information disclosure due to improper cache-control header parsing
- risk 0.31cvss 5.9epss 0.00
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- risk 0.17cvss 3.7epss 0.00
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- risk 0.17cvss 3.7epss 0.00
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- CVE-2026-2229Mar 12, 2026risk 0.00cvss —epss 0.00
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for…
- CVE-2026-1528Mar 12, 2026risk 0.00cvss —epss 0.00
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version…
- CVE-2026-1527Mar 12, 2026risk 0.00cvss —epss 0.00
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis,…
- CVE-2026-2581Mar 12, 2026risk 0.00cvss —epss 0.01
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream…
- CVE-2026-1526Mar 12, 2026risk 0.00cvss —epss 0.01
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without…
- CVE-2026-1525Mar 12, 2026risk 0.00cvss —epss 0.00
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is…