Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/30164?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/30164?format=api", "purl": "pkg:npm/undici@6.11.1", "type": "npm", "namespace": "", "name": "undici", "version": "6.11.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.24.0", "latest_non_vulnerable_version": "7.24.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78542?format=api", "vulnerability_id": "VCID-4gay-kbzx-zkg7", "summary": "ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\\r\\n) to:\n\n * Inject arbitrary HTTP headers\n * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)\nThe vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:\n\n// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01904", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01919", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01909", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01907", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882", "reference_id": "1130882", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141", "reference_id": "2447141", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141" }, { "reference_url": "https://hackerone.com/reports/3487198", "reference_id": "3487198", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://hackerone.com/reports/3487198" }, { "reference_url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "GHSA-4992-7rv2-5pvq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "GHSA-4992-7rv2-5pvq", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "security-advisories.html", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374691?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/374508?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1527", "GHSA-4992-7rv2-5pvq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4gay-kbzx-zkg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78922?format=api", "vulnerability_id": "VCID-5f6z-hep3-8ubw", "summary": "ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.\n\nPatches\n\nPatched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1528", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.3056", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30761", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30775", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30756", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1528" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883", "reference_id": "1130883", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145", "reference_id": "2447145", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145" }, { "reference_url": "https://hackerone.com/reports/3537648", "reference_id": "3537648", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://hackerone.com/reports/3537648" }, { "reference_url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "reference_id": "GHSA-f269-vfmq-vjvj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj", "reference_id": "GHSA-f269-vfmq-vjvj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13826", "reference_id": "RHSA-2026:13826", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13826" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:17789", "reference_id": "RHSA-2026:17789", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:17789" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21931", "reference_id": "RHSA-2026:21931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21931" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "security-advisories.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374691?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/374508?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1528", "GHSA-f269-vfmq-vjvj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5f6z-hep3-8ubw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85022?format=api", "vulnerability_id": "VCID-7pfj-bmxq-eba5", "summary": "ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n * The createInflateRaw() call is not wrapped in a try-catch block\n * The resulting exception propagates up through the call stack and crashes the Node.js process", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38732", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38919", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38928", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38905", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2229" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884", "reference_id": "1130884", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143", "reference_id": "2447143", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143" }, { "reference_url": "https://hackerone.com/reports/3487486", "reference_id": "3487486", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://hackerone.com/reports/3487486" }, { "reference_url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "reference_id": "GHSA-v9p9-hfj2-hcw8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8", "reference_id": "GHSA-v9p9-hfj2-hcw8", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8" }, { "reference_url": "https://datatracker.ietf.org/doc/html/rfc7692", "reference_id": "rfc7692", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13826", "reference_id": "RHSA-2026:13826", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13826" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:17789", "reference_id": "RHSA-2026:17789", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:17789" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21931", "reference_id": "RHSA-2026:21931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21931" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "security-advisories.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw", "reference_id": "zlib.html#class-zlibinflateraw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374691?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/374508?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-2229", "GHSA-v9p9-hfj2-hcw8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7pfj-bmxq-eba5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23203?format=api", "vulnerability_id": "VCID-bb3s-t1q2-uufg", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.70097", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0082", "scoring_system": "epss", "scoring_elements": "0.74902", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0082", "scoring_system": "epss", "scoring_elements": "0.74892", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0082", "scoring_system": "epss", "scoring_elements": "0.74906", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22150" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339176", "reference_id": "2339176", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339176" }, { "reference_url": "https://hackerone.com/reports/2913312", "reference_id": "2913312", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://hackerone.com/reports/2913312" }, { "reference_url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0", "reference_id": "711e20772764c29f6622ddc937c63b6eefdf07d0", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0" }, { "reference_url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113", "reference_id": "body.js#L113", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113" }, { "reference_url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a", "reference_id": "c2d78cd19fe4f4c621424491e26ce299e65e934a", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a" }, { "reference_url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385", "reference_id": "c3acc6050b781b827d80c86cbbab34f14458d385", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385" }, { "reference_url": "https://github.com/advisories/GHSA-c76h-2ccp-4975", "reference_id": "GHSA-c76h-2ccp-4975", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c76h-2ccp-4975" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975", "reference_id": "GHSA-c76h-2ccp-4975", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975" }, { "reference_url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f", "reference_id": "hacking-the-javascript-lottery-80cc437e3b7f", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1351", "reference_id": "RHSA-2025:1351", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1351" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1443", "reference_id": "RHSA-2025:1443", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1443" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1446", "reference_id": "RHSA-2025:1446", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1446" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1454", "reference_id": "RHSA-2025:1454", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1454" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1582", "reference_id": "RHSA-2025:1582", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1582" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1611", "reference_id": "RHSA-2025:1611", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1611" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1613", "reference_id": "RHSA-2025:1613", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1613" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:17145", "reference_id": "RHSA-2025:17145", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:17145" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1931", "reference_id": "RHSA-2025:1931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1931" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21368", "reference_id": "RHSA-2025:21368", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21368" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2588", "reference_id": "RHSA-2025:2588", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2588" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3368", "reference_id": "RHSA-2025:3368", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3368" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3374", "reference_id": "RHSA-2025:3374", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3374" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3397", "reference_id": "RHSA-2025:3397", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3397" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377101?format=api", "purl": "pkg:npm/undici@6.21.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/377102?format=api", "purl": "pkg:npm/undici@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.2.3" } ], "aliases": [ "CVE-2025-22150", "GHSA-c76h-2ccp-4975" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bb3s-t1q2-uufg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79002?format=api", "vulnerability_id": "VCID-by57-rp7b-1uge", "summary": "The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06093", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06096", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06108", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06114", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526" }, { "reference_url": "https://owasp.org/www-community/attacks/Denial_of_Service", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/Denial_of_Service" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880", "reference_id": "1130880", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "reference_id": "2447142", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142" }, { "reference_url": "https://hackerone.com/reports/3481206", "reference_id": "3481206", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://hackerone.com/reports/3481206" }, { "reference_url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "GHSA-vrm6-8vpv-qv8q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "GHSA-vrm6-8vpv-qv8q", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://datatracker.ietf.org/doc/html/rfc7692", "reference_id": "rfc7692", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13826", "reference_id": "RHSA-2026:13826", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13826" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:17789", "reference_id": "RHSA-2026:17789", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:17789" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21931", "reference_id": "RHSA-2026:21931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21931" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "security-advisories.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374691?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/374508?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1526", "GHSA-vrm6-8vpv-qv8q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-by57-rp7b-1uge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79142?format=api", "vulnerability_id": "VCID-cmkj-wegt-q3eb", "summary": "Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.\n\nWho is impacted:\n\n * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays\n * Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)\n * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05234", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05244", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05251", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05237", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879", "reference_id": "1130879", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "reference_id": "2447144", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144" }, { "reference_url": "https://hackerone.com/reports/3556037", "reference_id": "3556037", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://hackerone.com/reports/3556037" }, { "reference_url": "https://cwe.mitre.org/data/definitions/444.html", "reference_id": "444.html", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cwe.mitre.org/data/definitions/444.html" }, { "reference_url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "GHSA-2mjp-6q6p-2qxm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "GHSA-2mjp-6q6p-2qxm", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6", "reference_id": "rfc9110.html#section-8.6", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13826", "reference_id": "RHSA-2026:13826", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13826" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:17789", "reference_id": "RHSA-2026:17789", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:17789" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "security-advisories.html", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374691?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/374508?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1525", "GHSA-2mjp-6q6p-2qxm" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cmkj-wegt-q3eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/119887?format=api", "vulnerability_id": "VCID-rqp9-y5v9-kkht", "summary": "Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47279", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14977", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15065", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15098", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15096", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47279" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860", "reference_id": "1105860", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366632", "reference_id": "2366632", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366632" }, { "reference_url": "https://github.com/nodejs/undici/issues/3895", "reference_id": "3895", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/issues/3895" }, { "reference_url": "https://github.com/nodejs/undici/pull/4088", "reference_id": "4088", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/pull/4088" }, { "reference_url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "reference_id": "f317618ec28753a4218beccea048bcf89c36db25", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25" }, { "reference_url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3", "reference_id": "GHSA-cxrh-j4jr-qwg3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "reference_id": "GHSA-cxrh-j4jr-qwg3", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378831?format=api", "purl": "pkg:npm/undici@6.21.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/378832?format=api", "purl": "pkg:npm/undici@7.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.5.0" } ], "aliases": [ "CVE-2025-47279", "GHSA-cxrh-j4jr-qwg3" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rqp9-y5v9-kkht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/26771?format=api", "vulnerability_id": "VCID-t4mv-7pwt-ryau", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22036", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0186", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01851", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02024", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06931", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22036" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679", "reference_id": "1125679", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429741", "reference_id": "2429741", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429741" }, { "reference_url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3", "reference_id": "b04e3cbb569c1596f86c108e9b52c79d8475dcb3", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/" } ], "url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036", "reference_id": "CVE-2026-22036", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036" }, { "reference_url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "reference_id": "GHSA-g9mf-h72j-4rw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9", "reference_id": "GHSA-g9mf-h72j-4rw9", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:24841", "reference_id": "RHSA-2026:24841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:24841" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37754?format=api", "purl": "pkg:npm/undici@6.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.23.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/37756?format=api", "purl": "pkg:npm/undici@7.18.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-fmxm-x112-gff9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.2" } ], "aliases": [ "CVE-2026-22036", "GHSA-g9mf-h72j-4rw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t4mv-7pwt-ryau" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19020?format=api", "vulnerability_id": "VCID-gwng-pdqq-wyeu", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30261", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20766", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.2094", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20961", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20942", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30261" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273519", "reference_id": "2273519", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273519" }, { "reference_url": "https://hackerone.com/reports/2377760", "reference_id": "2377760", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://hackerone.com/reports/2377760" }, { "reference_url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "reference_id": "2b39440bd9ded841c93dd72138f3b1763ae26055", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261", "reference_id": "CVE-2024-30261", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261" }, { "reference_url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "reference_id": "d542b8cd39ec1ba303f038ea26098c3f355974f3", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3" }, { "reference_url": "https://github.com/advisories/GHSA-9qxr-qj54-h672", "reference_id": "GHSA-9qxr-qj54-h672", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9qxr-qj54-h672" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "reference_id": "GHSA-9qxr-qj54-h672", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "reference_id": "HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "reference_id": "NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "reference_id": "P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6667", "reference_id": "RHSA-2024:6667", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6667" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1931", "reference_id": "RHSA-2025:1931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1931" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30166?format=api", "purl": "pkg:npm/undici@5.28.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-bb3s-t1q2-uufg" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/30164?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-bb3s-t1q2-uufg" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30261", "GHSA-9qxr-qj54-h672" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwng-pdqq-wyeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19019?format=api", "vulnerability_id": "VCID-xyrc-bdam-x7aw", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30260", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41746", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.4192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.4193", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41911", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30260" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://hackerone.com/reports/2408074", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/2408074" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273522", "reference_id": "2273522", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273522" }, { "reference_url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "reference_id": "64e3402da4e032e68de46acb52800c9a06aaea3f", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f" }, { "reference_url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "reference_id": "6805746680d27a5369d7fb67bc05f95a28247d75", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260", "reference_id": "CVE-2024-30260", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260" }, { "reference_url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "GHSA-m4v8-wqvr-p9f7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "GHSA-m4v8-wqvr-p9f7", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "reference_id": "HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "reference_id": "NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "reference_id": "P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6667", "reference_id": "RHSA-2024:6667", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6667" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30166?format=api", "purl": "pkg:npm/undici@5.28.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-bb3s-t1q2-uufg" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/30164?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gay-kbzx-zkg7" }, { "vulnerability": "VCID-5f6z-hep3-8ubw" }, { "vulnerability": "VCID-7pfj-bmxq-eba5" }, { "vulnerability": "VCID-bb3s-t1q2-uufg" }, { "vulnerability": "VCID-by57-rp7b-1uge" }, { "vulnerability": "VCID-cmkj-wegt-q3eb" }, { "vulnerability": "VCID-rqp9-y5v9-kkht" }, { "vulnerability": "VCID-t4mv-7pwt-ryau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30260", "GHSA-m4v8-wqvr-p9f7" ], "risk_score": 1.8, "exploitability": "0.5", "weighted_severity": "3.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xyrc-bdam-x7aw" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" }