Nodejs

Undici

30 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.26%
  • Veröffentlicht 12.03.2026 20:17:18
  • Zuletzt bearbeitet 20.03.2026 15:49:31

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to...

  • EPSS 0.57%
  • Veröffentlicht 12.03.2026 20:13:19
  • Zuletzt bearbeitet 18.03.2026 13:37:08

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in...

  • EPSS 1.15%
  • Veröffentlicht 12.03.2026 20:08:05
  • Zuletzt bearbeitet 02.07.2026 12:16:55

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incomin...

  • EPSS 0.49%
  • Veröffentlicht 12.03.2026 19:56:55
  • Zuletzt bearbeitet 19.03.2026 17:29:34

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the...

  • EPSS 0.43%
  • Veröffentlicht 14.01.2026 19:07:13
  • Zuletzt bearbeitet 22.01.2026 21:15:50

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage ...

  • EPSS 0.25%
  • Veröffentlicht 15.05.2025 17:16:02
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the...

  • EPSS 0.74%
  • Veröffentlicht 21.01.2025 18:15:14
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predi...

  • EPSS 0.47%
  • Veröffentlicht 08.07.2024 21:15:12
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

  • EPSS 0.73%
  • Veröffentlicht 04.04.2024 16:15:08
  • Zuletzt bearbeitet 04.11.2025 17:15:50

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

Exploit
  • EPSS 0.8%
  • Veröffentlicht 04.04.2024 15:15:39
  • Zuletzt bearbeitet 04.11.2025 17:15:50

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in versio...