chore(deps): update dependency undici to >=7.28.0 [security]#1394
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency undici to >=7.28.0 [security]#1394renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
5202aaf to
1dc240d
Compare
1dc240d to
7666a20
Compare
7666a20 to
bbe24fc
Compare
bbe24fc to
1804347
Compare
1804347 to
fd07625
Compare
fd07625 to
be556b8
Compare
be556b8 to
c72c9da
Compare
c72c9da to
45487d2
Compare
8ae27e3 to
ae96f1c
Compare
ae96f1c to
49a3396
Compare
4bdfd30 to
7720c13
Compare
7720c13 to
53243f7
Compare
53243f7 to
1cb5fe2
Compare
1cb5fe2 to
5993243
Compare
23cf622 to
3db3c7c
Compare
3db3c7c to
70ec918
Compare
70ec918 to
2a6e53e
Compare
2a6e53e to
407c0ff
Compare
407c0ff to
13757d4
Compare
13757d4 to
1d997ae
Compare
1d997ae to
1973507
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>=7.18.2→>=7.28.0Undici has an HTTP Request/Response Smuggling issue
CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm
More information
Details
Impact
Undici allows duplicate HTTP
Content-Lengthheaders when they are provided in an array with case-variant names (e.g.,Content-Lengthandcontent-length). This produces malformed HTTP/1.1 requests with multiple conflictingContent-Lengthvalues on the wire.Who is impacted:
undici.request(),undici.Client, or similar low-level APIs with headers passed as flat arraysPotential consequences:
Content-Lengthheaders (400 Bad Request)Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
If upgrading is not immediately possible:
Content-Lengthheaders (case-insensitive) are present before passing headers to undici{ 'content-length': '123' }) rather than an array, which naturally deduplicates by keySeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
CVE-2026-1528 / GHSA-f269-vfmq-vjvj
More information
Details
Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
There are no workarounds.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Undici has CRLF Injection in undici via
upgradeoptionCVE-2026-1527 / GHSA-4992-7rv2-5pvq
More information
Details
Impact
When an application passes user-controlled input to the
upgradeoption ofclient.request(), an attacker can inject CRLF sequences (\r\n) to:The vulnerability exists because undici writes the
upgradevalue directly to the socket without validating for invalid header characters:Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the
upgradeoption string before passing to undici:Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
CVE-2026-9678 / GHSA-pr7r-676h-xcf6
More information
Details
Impact
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream
Cache-Controlheader uses whitespace-padded qualifiedprivateorno-cachefield names such asprivate=" authorization"orno-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literalauthorizationfield name fail and the response is stored.In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (
interceptors.cache()) in shared mode, forwardAuthorizationheaders upstream, and receive cacheable responses with non-canonical qualifiedprivateorno-cachedirectives.Patches
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, disable shared-cache mode for traffic that includes
Authorizationheaders, avoid caching responses to authenticated requests, or addVary: Authorizationupstream.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
CVE-2026-6733 / GHSA-35p6-xmwp-9g52
More information
Details
Impact
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
Disable keep-alive connection reuse by setting
keepAliveTimeout: 0on the Client or Pool.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
CVE-2026-9679 / GHSA-p88m-4jfj-68fv
More information
Details
Impact
undici's cookie parser in
parseSetCookiepercent-decodes cookie values viaqsUnescape, turning encoded sequences like%0D%0A,%00,%3B, and%3Dinto their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.Applications that parse a
Set-Cookieheader and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrarySet-Cookie,Location, orCache-Controlheaders into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.Affected applications are those that use undici's cookie parsing (
parseSetCookie,parseCookie,getSetCookies) and forward the parsed cookie value into a response header.This was introduced in undici 7.0.0 via #3789.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, do not forward values returned by
parseSetCookie/parseCookie/getSetCookiesdirectly into response headers; sanitize the value first to strip or reject CR, LF, NUL,;, and=bytes.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
CVE-2026-11525 / GHSA-g8m3-5g58-fq7m
More information
Details
Impact
When undici parses a
Set-Cookieheader, it accepts anySameSiteattribute value that containsStrict,Lax, orNoneas a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:SameSite=NoneOfYourBusinessis parsed asNone, the most permissive setting.SameSite=StrictLaxis parsed asLax, a downgrade fromStrict.Affected applications are those that consume
Set-Cookieheaders from server responses (for example via undici'sfetchor proxy code paths) and then forward or rely on the parsedsameSiteattribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.This was introduced in undici 5.15.0 when the cookies feature was added.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
After parsing a
Set-Cookieheader, validate that the resultingsameSiteattribute is one of'Strict','Lax', or'None'(exact, case-insensitive) before forwarding or relying on it.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nodejs/undici (undici)
v7.28.0Compare Source
This release line addresses 7 security advisories, all shipped in v7.28.0.
The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is
an 8.x-only regression.
Summary
8cb10f9804201f893805b8f885a24055d0574cc4d0574cc4ea8930cfHigh severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix:
8cb10f98websocket: limit the number of fragments in a message (part of backporta027a4a0Backport WebSocket maxPayloadSize fixes to v7.x, #5423)A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.
new WebSocket(...)orWebSocketStreamagainst untrusted endpoints.
TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697
GHSA-vmh5-mc38-953g · CWE-295
Fix:
04201f89fix: honor requestTls when proxy is SOCKS5 (#5417)The
ProxyAgentsilently discarded therequestTlsoption when configured witha SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as
ca,cert,key,rejectUnauthorized, andservername,falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.
ProxyAgent/Socks5ProxyAgentover SOCKS5 that rely onrequestTls.ProxyAgent, whererequestTlsfunctions correctly.Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734
GHSA-hm92-r4w5-c3mj · CWE-346
Fix:
3805b8f8fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)Socks5ProxyAgentreused a single connection pool across different originswithout verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.
Socks5ProxyAgentacross multiple origins(introduced in 7.23.0 via #4385).
Moderate severity
Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678
GHSA-pr7r-676h-xcf6 · CWE-524
Fix:
85a24055fix(cache): trim qualified field namesThe cache interceptor mishandled responses with whitespace-padded
Cache-Controldirectives such asprivate=" authorization". In shared-cachemode this could cause authenticated data to be cached and served to other users.
Authorizationupstream and receive non-canonical qualified directives.caching authenticated responses, or add
Vary: Authorizationupstream.HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679
GHSA-p88m-4jfj-68fv · CWE-93
Fix:
d0574cc4fix(cookies): preserve values and parse SameSite strictlyparseSetCookieapplied percent-decoding to cookie values, turning encodedsequences like
%0D%0Aand%00into literal bytes, contrary to RFC 6265 §5.4and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.
NUL,
;, and=.Low severity
Set-Cookie SameSite attribute downgrade — CVE-2026-11525
GHSA-g8m3-5g58-fq7m · CWE-183
Fix:
d0574cc4fix(cookies): preserve values and parse SameSite strictlyThe cookie parser accepted
SameSitevalues containingStrict,Lax, orNoneas substrings rather than requiring exact matches per RFC 6265. Valueslike
SameSite=NoneOfYourBusinessparsed asNone, andSameSite=StrictLaxparsed as
Lax, silently weakening cookie security policies for apps thatforward parsed attributes.
HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733
GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix:
ea8930cffix: guard idle socket validation to skip fresh sockets, hardened by8e4046e4keep idle validation on native timers (#5402) and0fa80869keep idle validation on global timers (#5409)An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.
keep-alive reuse.
keepAliveTimeout: 0on theClient or Pool.
Release contents & deliberate backports
v7.28.0 is a security-only release — every change in it is one of the fixes
above, backported to the v7.x maintenance line on purpose from the v8
development line:
#5423— backport of the WebSocketmaxPayloadSizefragment-count / cumulative-size limits (CVE-2026-12151).#5402ᔡ— backport of the idle-validation hardening (native + global timers) for the queue-poisoning fix (CVE-2026-6733).#5417—requestTlsover SOCKS5 fix (CVE-2026-9697).The cookie (
d0574cc4),cache (
85a24055) andqueue-poisoning core (
ea8930cf)fixes were applied directly to the v7.x branch. Full changelog:
v7.27.2...v7.28.0.Credits
Per-advisory credits (as recorded in each GHSA):
v7.27.2Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.27.1...v7.27.2
v7.27.1Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.27.0...v7.27.1
v7.27.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.26.0...v7.27.0
v7.26.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.25.0...v7.26.0
v7.25.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.8...v7.25.0
v7.24.8Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.7...v7.24.8
v7.24.7Compare Source
What's Changed
redirectionLimitReachedby @samuel871211 in #4933New Contributors
Full Changelog: nodejs/undici@v7.24.6...v7.24.7
v7.24.6Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.24.5...v7.24.6
v7.24.5Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.24.4...v7.24.5
v7.24.4Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.3...v7.24.4
v7.24.3Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.2...v7.24.3
v7.24.2Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.1...v7.24.2
v7.24.1Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.24.0...v7.24.1
v7.24.0Compare Source
Undici v7.24.0 Security Release Notes
This release addresses multiple security vulnerabilities in Undici.
Upgrade guidance
All users on v7 should upgrade to v7.24.0 or later.
Fixed advisories
GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).
GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.
GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).
GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the
upgradeoption.GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid
server_max_window_bitsin WebSocket permessage-deflate negotiation.GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.
Affected and patched ranges
7.0.0 < 7.24.0, patched7.24.07.0.0 < 7.24.0, patched7.24.0>= 7.17.0 < 7.24.0, patched7.24.07.0.0 < 7.24.0, patched7.24.07.0.0 < 7.24.0, patched7.24.07.0.0 < 7.24.0, patched7.24.0References
v7.23.0Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.22.0...v7.23.0
v7.22.0Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.21.0...v7.22.0
v7.21.0Compare Source
What's Changed
closemethod to WebSocketStream interface by @piotr-cz in #4802New Contributors
Full Changelog: nodejs/undici@v7.20.0...v7.21.0
v7.20.0Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.19.2...v7.20.0
v7.19.2Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.19.1...v7.19.2
v7.19.1Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v7.19.0...v7.19.1
v7.19.0Compare Source
What's Changed
Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.