Security: nodejs/undici
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matchingGHSA-g8m3-5g58-fq7m published
Jun 17, 2026 by mcollinaLow -
undici WebSocket client vulnerable to denial of service via fragment count bypassGHSA-vxpw-j846-p89q published
Jun 17, 2026 by mcollinaHigh -
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgentGHSA-vmh5-mc38-953g published
Jun 17, 2026 by mcollinaHigh -
undici vulnerable to cross-user information disclosure via shared cache whitespace bypassGHSA-pr7r-676h-xcf6 published
Jun 17, 2026 by mcollinaModerate -
undici vulnerable to HTTP header injection via Set-Cookie percent-decodingGHSA-p88m-4jfj-68fv published
Jun 17, 2026 by mcollinaModerate -
undici WebSocket client vulnerable to denial of service via cumulative fragment bypassGHSA-38rv-x7px-6hhq published
Jun 17, 2026 by mcollinaHigh -
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuseGHSA-hm92-r4w5-c3mj published
Jun 17, 2026 by mcollinaHigh -
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuseGHSA-35p6-xmwp-9g52 published
Jun 17, 2026 by mcollinaLow -
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in undiciGHSA-2mjp-6q6p-2qxm published
Mar 12, 2026 by mcollinaModerate -
Malicious WebSocket 64-bit length overflows undici parser and crashes the clientGHSA-f269-vfmq-vjvj published
Mar 12, 2026 by mcollinaModerate