CVE-2026-1527
- EPSS 0.26%
- Veröffentlicht 12.03.2026 20:17:18
- Zuletzt bearbeitet 20.03.2026 15:49:31
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to...
CVE-2026-2581
- EPSS 0.57%
- Veröffentlicht 12.03.2026 20:13:19
- Zuletzt bearbeitet 18.03.2026 13:37:08
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in...
CVE-2026-1526
- EPSS 1.15%
- Veröffentlicht 12.03.2026 20:08:05
- Zuletzt bearbeitet 02.07.2026 12:16:55
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incomin...
CVE-2026-1525
- EPSS 0.49%
- Veröffentlicht 12.03.2026 19:56:55
- Zuletzt bearbeitet 19.03.2026 17:29:34
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the...
CVE-2026-22036
- EPSS 0.43%
- Veröffentlicht 14.01.2026 19:07:13
- Zuletzt bearbeitet 22.01.2026 21:15:50
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage ...
CVE-2025-47279
- EPSS 0.25%
- Veröffentlicht 15.05.2025 17:16:02
- Zuletzt bearbeitet 15.04.2026 00:35:42
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the...
CVE-2025-22150
- EPSS 0.74%
- Veröffentlicht 21.01.2025 18:15:14
- Zuletzt bearbeitet 15.04.2026 00:35:42
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predi...
- EPSS 0.47%
- Veröffentlicht 08.07.2024 21:15:12
- Zuletzt bearbeitet 15.04.2026 00:35:42
Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
CVE-2024-30260
- EPSS 0.73%
- Veröffentlicht 04.04.2024 16:15:08
- Zuletzt bearbeitet 04.11.2025 17:15:50
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-30261
- EPSS 0.8%
- Veröffentlicht 04.04.2024 15:15:39
- Zuletzt bearbeitet 04.11.2025 17:15:50
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in versio...