Update dependency undici to v6.27.0 [SECURITY]#234
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
0939b30 to
b7fe969
Compare
4477429 to
4743438
Compare
6285fc0 to
d020f4d
Compare
2a517e8 to
1db4e8a
Compare
c0f5d9a to
ee0bbb3
Compare
ee0bbb3 to
e781edb
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #234 +/- ##
==========================================
- Coverage 98.65% 96.60% -2.06%
==========================================
Files 51 48 -3
Lines 1933 1943 +10
Branches 513 489 -24
==========================================
- Hits 1907 1877 -30
- Misses 23 59 +36
- Partials 3 7 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
e781edb to
dde5be6
Compare
dde5be6 to
1b479c6
Compare
1b479c6 to
6375ddc
Compare
6375ddc to
8da2432
Compare
8da2432 to
77f1cb3
Compare
77f1cb3 to
7cc37df
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.19.2→6.27.0Use of Insufficiently Random Values in undici
CVE-2025-22150 / GHSA-c76h-2ccp-4975
More information
Details
Impact
Undici
fetch()uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
Patches
This is fixed in 5.28.5; 6.21.1; 7.2.3.
Workarounds
Do not issue multipart requests to attacker controlled servers.
References
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici Denial of Service attack via bad certificate data
CVE-2025-47279 / GHSA-cxrh-j4jr-qwg3
More information
Details
Impact
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Patches
This has been patched in https://github.com/nodejs/undici/pull/4088.
Workarounds
If a webhook fails, avoid keep calling it repeatedly.
References
Reported as: https://github.com/nodejs/undici/issues/3895
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
CVE-2026-22036 / GHSA-g9mf-h72j-4rw9
More information
Details
Impact
The
fetch()API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
Patches
Upgrade to 7.18.2 or 6.23.0.
Workarounds
It is possible to apply an undici interceptor and filter long
Content-Encodingsequences manually.References
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
CVE-2026-1528 / GHSA-f269-vfmq-vjvj
More information
Details
Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
There are no workarounds.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has an HTTP Request/Response Smuggling issue
CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm
More information
Details
Impact
Undici allows duplicate HTTP
Content-Lengthheaders when they are provided in an array with case-variant names (e.g.,Content-Lengthandcontent-length). This produces malformed HTTP/1.1 requests with multiple conflictingContent-Lengthvalues on the wire.Who is impacted:
undici.request(),undici.Client, or similar low-level APIs with headers passed as flat arraysPotential consequences:
Content-Lengthheaders (400 Bad Request)Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
If upgrading is not immediately possible:
Content-Lengthheaders (case-insensitive) are present before passing headers to undici{ 'content-length': '123' }) rather than an array, which naturally deduplicates by keySeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8
More information
Details
Impact
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the
server_max_window_bitsparameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-rangeserver_max_window_bitsvalue (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.The vulnerability exists because:
isValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15createInflateRaw()call is not wrapped in a try-catch blockPatches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q
More information
Details
Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the
PerMessageDeflate.decompress()method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.Impact
Patches
Users should upgrade to fixed versions.
Workarounds
No workaround are possible.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has CRLF Injection in undici via
upgradeoptionCVE-2026-1527 / GHSA-4992-7rv2-5pvq
More information
Details
Impact
When an application passes user-controlled input to the
upgradeoption ofclient.request(), an attacker can inject CRLF sequences (\r\n) to:The vulnerability exists because undici writes the
upgradevalue directly to the socket without validating for invalid header characters:Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the
upgradeoption string before passing to undici:Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici WebSocket client vulnerable to denial of service via fragment count bypass
CVE-2026-12151 / GHSA-vxpw-j846-p89q
More information
Details
Impact
The undici WebSocket client enforces
maxPayloadSizeon the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.Affected applications are those using the undici WebSocket client (
new WebSocket(...)) or theWebSocketStreamAPI that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.All releases starting at undici 6.17.0 are affected.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
No workaround is available. The fix must be applied through an upgrade.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
CVE-2026-6733 / GHSA-35p6-xmwp-9g52
More information
Details
Impact
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
Disable keep-alive connection reuse by setting
keepAliveTimeout: 0on the Client or Pool.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
CVE-2026-9679 / GHSA-p88m-4jfj-68fv
More information
Details
Impact
undici's cookie parser in
parseSetCookiepercent-decodes cookie values viaqsUnescape, turning encoded sequences like%0D%0A,%00,%3B, and%3Dinto their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.Applications that parse a
Set-Cookieheader and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrarySet-Cookie,Location, orCache-Controlheaders into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.Affected applications are those that use undici's cookie parsing (
parseSetCookie,parseCookie,getSetCookies) and forward the parsed cookie value into a response header.This was introduced in undici 7.0.0 via #3789.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, do not forward values returned by
parseSetCookie/parseCookie/getSetCookiesdirectly into response headers; sanitize the value first to strip or reject CR, LF, NUL,;, and=bytes.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
CVE-2026-11525 / GHSA-g8m3-5g58-fq7m
More information
Details
Impact
When undici parses a
Set-Cookieheader, it accepts anySameSiteattribute value that containsStrict,Lax, orNoneas a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:SameSite=NoneOfYourBusinessis parsed asNone, the most permissive setting.SameSite=StrictLaxis parsed asLax, a downgrade fromStrict.Affected applications are those that consume
Set-Cookieheaders from server responses (for example via undici'sfetchor proxy code paths) and then forward or rely on the parsedsameSiteattribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.This was introduced in undici 5.15.0 when the cookies feature was added.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
After parsing a
Set-Cookieheader, validate that the resultingsameSiteattribute is one of'Strict','Lax', or'None'(exact, case-insensitive) before forwarding or relying on it.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nodejs/undici (undici)
v6.27.0Compare Source
This release line addresses 4 security advisories.
The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g,
GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the
8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).
Summary
b7f252e725efa44725efa447f4c31d60High severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix:
b7f252e7Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service. All releases from 6.17.0 onward are affected.
new WebSocket(...)orWebSocketStreamagainst untrusted endpoints.
Moderate severity
HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679
GHSA-p88m-4jfj-68fv · CWE-93
Fix:
25efa447fix(cookies): preserve values and parse SameSite strictlyparseSetCookieapplied percent-decoding to cookie values, turning encodedsequences like
%0D%0Aand%00into literal bytes, contrary to RFC 6265 §5.4and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning.
NUL,
;, and=.Low severity
Set-Cookie SameSite attribute downgrade — CVE-2026-11525
GHSA-g8m3-5g58-fq7m · CWE-183
Fix:
25efa447fix(cookies): preserve values and parse SameSite strictlyThe cookie parser accepted
SameSitevalues containingStrict,Lax, orNoneas substrings rather than requiring exact matches per RFC 6265. Valueslike
SameSite=NoneOfYourBusinessparsed asNone, andSameSite=StrictLaxparsed as
Lax, silently weakening cookie security policies for apps thatforward parsed attributes.
HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733
GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix:
f4c31d60fix: guard idle socket validation to skip fresh sockets (#5400)An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.
keep-alive reuse.
keepAliveTimeout: 0on theClient or Pool.
Release contents & deliberate backports
v6.27.0 is a security-only release — every change in it is one of the fixes
above, backported to the v6.x maintenance line on purpose:
#5428— backport of the WebSocketmaxPayloadSizefragment-count / cumulative-size limits to v6.x (CVE-2026-12151; this is the v6 counterpart of the v7 backport #5423).#5400— idle-socket-validation fix for the queue-poisoning issue (CVE-2026-6733).The cookie fix (
25efa447,covering both CVE-2026-9679 and CVE-2026-11525) was applied directly to the v6.x
branch. Full changelog:
v6.26.0...v6.27.0.Credits
Per-advisory credits (as recorded in each GHSA):
v6.26.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.25.0...v6.26.0
v6.25.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.24.1...v6.25.0
v6.24.1Compare Source
Full Changelog: nodejs/undici@v6.24.0...v6.24.1
v6.24.0Compare Source
Undici v6.24.0 Security Release Notes (LTS)
This release backports fixes for security vulnerabilities affecting the v6 line.
Upgrade guidance
All users on v6 should upgrade to v6.24.0 or later.
Fixed advisories
GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).
GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.
GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the
upgradeoption.GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid
server_max_window_bitsin WebSocket permessage-deflate negotiation.GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.
Not applicable to v6
>= 7.17.0 < 7.24.0only.Affected and patched ranges (v6)
< 6.24.0, patched6.24.0>= 6.0.0 < 6.24.0, patched6.24.0< 6.24.0, patched6.24.0< 6.24.0, patched6.24.0< 6.24.0, patched6.24.0References
v6.23.0Compare Source
This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.
Full Changelog: nodejs/undici@v6.22.0...v6.23.0
v6.22.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.21.3...v6.22.0
v6.21.3Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.21.2...v6.21.3
v6.21.2Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v6.21.1...v6.21.2
v6.21.1Compare Source
Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).
What's Changed
183f8e9to v6.x by @ggoodman in #3855Full Changelog: nodejs/undici@v6.21.0...v6.21.1
v6.21.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.20.1...v6.21.0
v6.20.1Compare Source
What's Changed
BodyReadable.bytesby @github-actions in #3711Full Changelog: nodejs/undici@v6.20.0...v6.20.1
v6.20.0Compare Source
What's Changed
v6.xbranch) by @eXhumer in #3531Full Changelog: nodejs/undici@v6.19.8...v6.20.0
v6.19.8Compare Source
Full Changelog: nodejs/undici@v6.19.7...v6.19.8
v6.19.7Compare Source
Full Changelog: nodejs/undici@v6.19.6...v6.19.7
v6.19.6Compare Source
Full Changelog: nodejs/undici@v6.19.5...v6.19.6
v6.19.5Compare Source
Full Changelog: nodejs/undici@v6.19.4...v6.19.5
v6.19.4Compare Source
Full Changelog: nodejs/undici@v6.19.3...v6.19.4
v6.19.3Compare Source
Full Changelog: nodejs/undici@v6.19.2...v6.19.3
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.