CVE-2026-11525
- EPSS 0.25%
- Veröffentlicht 17.06.2026 17:31:03
- Zuletzt bearbeitet 25.06.2026 17:46:21
Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one ...
CVE-2026-6733
- EPSS 0.23%
- Veröffentlicht 17.06.2026 17:14:50
- Zuletzt bearbeitet 27.06.2026 23:46:06
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client...
CVE-2026-9678
- EPSS 0.37%
- Veröffentlicht 17.06.2026 17:04:09
- Zuletzt bearbeitet 25.06.2026 17:44:16
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorizatio...
CVE-2026-9679
- EPSS 0.26%
- Veröffentlicht 17.06.2026 16:56:18
- Zuletzt bearbeitet 25.06.2026 17:43:39
Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do n...
CVE-2026-9697
- EPSS 0.46%
- Veröffentlicht 17.06.2026 16:46:42
- Zuletzt bearbeitet 09.07.2026 13:17:32
Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured...
CVE-2026-6734
- EPSS 0.32%
- Veröffentlicht 17.06.2026 16:36:55
- Zuletzt bearbeitet 09.07.2026 13:17:31
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, re...
CVE-2026-9675
- EPSS 0.43%
- Veröffentlicht 17.06.2026 16:20:32
- Zuletzt bearbeitet 25.06.2026 17:46:52
Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but c...
CVE-2026-12151
- EPSS 0.76%
- Veröffentlicht 17.06.2026 16:05:38
- Zuletzt bearbeitet 09.07.2026 13:16:47
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frame...
CVE-2026-2229
- EPSS 0.87%
- Veröffentlicht 12.03.2026 20:27:05
- Zuletzt bearbeitet 02.07.2026 12:17:01
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically adver...
CVE-2026-1528
- EPSS 0.49%
- Veröffentlicht 12.03.2026 20:21:57
- Zuletzt bearbeitet 02.07.2026 12:16:55
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches ...