Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/undici@6.0.1
Typenpm
Namespace
Nameundici
Version6.0.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.24.0
Latest_non_vulnerable_version7.24.0
Affected_by_vulnerabilities
0
url VCID-1294-r4v2-3ud7
vulnerability_id VCID-1294-r4v2-3ud7
summary 
undici Denial of Service attack via bad certificate data
### Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. 

### Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

### Workarounds

If a webhook fails, avoid keep calling it repeatedly.

### References

Reported as: https://github.com/nodejs/undici/issues/3895
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-47279
reference_id
reference_type
scores
0
value 0.00047
scoring_system epss
scoring_elements 0.14339
published_at 2026-04-16T12:55:00Z
1
value 0.00047
scoring_system epss
scoring_elements 0.14445
published_at 2026-04-13T12:55:00Z
2
value 0.00047
scoring_system epss
scoring_elements 0.14502
published_at 2026-04-12T12:55:00Z
3
value 0.00047
scoring_system epss
scoring_elements 0.14541
published_at 2026-04-11T12:55:00Z
4
value 0.00047
scoring_system epss
scoring_elements 0.14593
published_at 2026-04-09T12:55:00Z
5
value 0.00047
scoring_system epss
scoring_elements 0.14452
published_at 2026-04-07T12:55:00Z
6
value 0.00047
scoring_system epss
scoring_elements 0.1454
published_at 2026-04-08T12:55:00Z
7
value 0.00047
scoring_system epss
scoring_elements 0.14641
published_at 2026-04-04T12:55:00Z
8
value 0.00047
scoring_system epss
scoring_elements 0.14571
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-47279
2
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
3
reference_url https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/
url https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25
4
reference_url https://github.com/nodejs/undici/issues/3895
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/
url https://github.com/nodejs/undici/issues/3895
5
reference_url https://github.com/nodejs/undici/pull/4088
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/
url https://github.com/nodejs/undici/pull/4088
6
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-47279
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-47279
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860
reference_id 1105860
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2366632
reference_id 2366632
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2366632
10
reference_url https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
reference_id GHSA-cxrh-j4jr-qwg3
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
fixed_packages
0
url pkg:npm/undici@6.21.2
purl pkg:npm/undici@6.21.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hgd1-7u6j-p7dh
1
vulnerability VCID-n6ew-t7g1-33gn
2
vulnerability VCID-ph2p-u33d-8yh3
3
vulnerability VCID-sy2z-sqgk-d7hg
4
vulnerability VCID-z7ac-jr58-gkfm
5
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.2
1
url pkg:npm/undici@7.5.0
purl pkg:npm/undici@7.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hgd1-7u6j-p7dh
1
vulnerability VCID-n6ew-t7g1-33gn
2
vulnerability VCID-ph2p-u33d-8yh3
3
vulnerability VCID-sy2z-sqgk-d7hg
4
vulnerability VCID-z7ac-jr58-gkfm
5
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.5.0
aliases CVE-2025-47279, GHSA-cxrh-j4jr-qwg3
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1294-r4v2-3ud7
1
url VCID-8ruv-6g79-c7ex
vulnerability_id VCID-8ruv-6g79-c7ex
summary 
fetch(url) leads to a memory leak in undici
### Impact

Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. 

### Patches

Patched in v6.6.1

### Workarounds

Make sure to always consume the incoming body.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24750.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24750.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24750
reference_id
reference_type
scores
0
value 0.00315
scoring_system epss
scoring_elements 0.54617
published_at 2026-04-13T12:55:00Z
1
value 0.00315
scoring_system epss
scoring_elements 0.54638
published_at 2026-04-12T12:55:00Z
2
value 0.00315
scoring_system epss
scoring_elements 0.54655
published_at 2026-04-11T12:55:00Z
3
value 0.00315
scoring_system epss
scoring_elements 0.54643
published_at 2026-04-09T12:55:00Z
4
value 0.00315
scoring_system epss
scoring_elements 0.54648
published_at 2026-04-08T12:55:00Z
5
value 0.00315
scoring_system epss
scoring_elements 0.54596
published_at 2026-04-07T12:55:00Z
6
value 0.00315
scoring_system epss
scoring_elements 0.54628
published_at 2026-04-04T12:55:00Z
7
value 0.00315
scoring_system epss
scoring_elements 0.54604
published_at 2026-04-02T12:55:00Z
8
value 0.00351
scoring_system epss
scoring_elements 0.57595
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24750
2
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
3
reference_url https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/
url https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
4
reference_url https://github.com/nodejs/undici/releases/tag/v6.6.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici/releases/tag/v6.6.1
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24750
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24750
7
reference_url https://security.netapp.com/advisory/ntap-20240419-0006
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240419-0006
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2264728
reference_id 2264728
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2264728
9
reference_url https://github.com/advisories/GHSA-9f24-jqhm-jfcw
reference_id GHSA-9f24-jqhm-jfcw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9f24-jqhm-jfcw
10
reference_url https://security.netapp.com/advisory/ntap-20240419-0006/
reference_id ntap-20240419-0006
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/
url https://security.netapp.com/advisory/ntap-20240419-0006/
fixed_packages
0
url pkg:npm/undici@6.6.1
purl pkg:npm/undici@6.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-pah5-gspe-hbbh
4
vulnerability VCID-ph2p-u33d-8yh3
5
vulnerability VCID-sy2z-sqgk-d7hg
6
vulnerability VCID-u8t3-4awy-k3fm
7
vulnerability VCID-z653-vqsc-euer
8
vulnerability VCID-z7ac-jr58-gkfm
9
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1
aliases CVE-2024-24750, GHSA-9f24-jqhm-jfcw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ruv-6g79-c7ex
2
url VCID-hgd1-7u6j-p7dh
vulnerability_id VCID-hgd1-7u6j-p7dh
summary 
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
### Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
2. The `createInflateRaw()` call is not wrapped in a try-catch block
3. The resulting exception propagates up through the call stack and crashes the Node.js process

### Patches
_Has the problem been patched? What versions should users upgrade to?_

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-2229
reference_id
reference_type
scores
0
value 0.00186
scoring_system epss
scoring_elements 0.40468
published_at 2026-04-02T12:55:00Z
1
value 0.00186
scoring_system epss
scoring_elements 0.40417
published_at 2026-04-07T12:55:00Z
2
value 0.00186
scoring_system epss
scoring_elements 0.40494
published_at 2026-04-04T12:55:00Z
3
value 0.00186
scoring_system epss
scoring_elements 0.40462
published_at 2026-04-12T12:55:00Z
4
value 0.00186
scoring_system epss
scoring_elements 0.40499
published_at 2026-04-11T12:55:00Z
5
value 0.00186
scoring_system epss
scoring_elements 0.40478
published_at 2026-04-09T12:55:00Z
6
value 0.00186
scoring_system epss
scoring_elements 0.40467
published_at 2026-04-08T12:55:00Z
7
value 0.00203
scoring_system epss
scoring_elements 0.42413
published_at 2026-04-13T12:55:00Z
8
value 0.00203
scoring_system epss
scoring_elements 0.42462
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-2229
2
reference_url https://cna.openjsf.org/security-advisories.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/
url https://cna.openjsf.org/security-advisories.html
3
reference_url https://datatracker.ietf.org/doc/html/rfc7692
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/
url https://datatracker.ietf.org/doc/html/rfc7692
4
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
6
reference_url https://hackerone.com/reports/3487486
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/
url https://hackerone.com/reports/3487486
7
reference_url https://nodejs.org/api/zlib.html#class-zlibinflateraw
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/
url https://nodejs.org/api/zlib.html#class-zlibinflateraw
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-2229
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-2229
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884
reference_id 1130884
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2447143
reference_id 2447143
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2447143
11
reference_url https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
reference_id GHSA-v9p9-hfj2-hcw8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
12
reference_url https://access.redhat.com/errata/RHSA-2026:5807
reference_id RHSA-2026:5807
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5807
13
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
14
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
15
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
16
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
17
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
18
reference_url https://access.redhat.com/errata/RHSA-2026:7670
reference_id RHSA-2026:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7670
19
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
20
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
fixed_packages
0
url pkg:npm/undici@6.24.0
purl pkg:npm/undici@6.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0
1
url pkg:npm/undici@7.24.0
purl pkg:npm/undici@7.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0
aliases CVE-2026-2229, GHSA-v9p9-hfj2-hcw8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hgd1-7u6j-p7dh
3
url VCID-n6ew-t7g1-33gn
vulnerability_id VCID-n6ew-t7g1-33gn
summary 
Undici has an HTTP Request/Response Smuggling issue
### Impact

Undici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP/1.1 requests with multiple conflicting `Content-Length` values on the wire.

**Who is impacted:**
  - Applications using `undici.request()`, `undici.Client`, or similar low-level APIs with headers passed as flat arrays
  - Applications that accept user-controlled header names without case-normalization

**Potential consequences:**
  - **Denial of Service**: Strict HTTP parsers (proxies, servers) will reject requests with duplicate `Content-Length` headers (400 Bad Request)
  - **HTTP Request Smuggling**: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

### Patches

 Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

### Workarounds

  If upgrading is not immediately possible:

  1. **Validate header names**: Ensure no duplicate `Content-Length` headers (case-insensitive) are present before passing headers to undici
  2. **Use object format**: Pass headers as a plain object (`{ 'content-length': '123' }`) rather than an array, which naturally deduplicates by key
  3. **Sanitize user input**: If headers originate from user input, normalize header names to lowercase and reject duplicates
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1525
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03768
published_at 2026-04-07T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.03756
published_at 2026-04-11T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.03795
published_at 2026-04-09T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.03771
published_at 2026-04-08T12:55:00Z
4
value 0.00016
scoring_system epss
scoring_elements 0.03742
published_at 2026-04-02T12:55:00Z
5
value 0.00016
scoring_system epss
scoring_elements 0.03754
published_at 2026-04-04T12:55:00Z
6
value 0.00016
scoring_system epss
scoring_elements 0.03735
published_at 2026-04-12T12:55:00Z
7
value 0.00018
scoring_system epss
scoring_elements 0.04422
published_at 2026-04-16T12:55:00Z
8
value 0.00018
scoring_system epss
scoring_elements 0.04453
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1525
2
reference_url https://cna.openjsf.org/security-advisories.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/
url https://cna.openjsf.org/security-advisories.html
3
reference_url https://cwe.mitre.org/data/definitions/444.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/
url https://cwe.mitre.org/data/definitions/444.html
4
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
6
reference_url https://hackerone.com/reports/3556037
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/
url https://hackerone.com/reports/3556037
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1525
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1525
8
reference_url https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/
url https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879
reference_id 1130879
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2447144
reference_id 2447144
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2447144
11
reference_url https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
reference_id GHSA-2mjp-6q6p-2qxm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
12
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
13
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
14
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
15
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
16
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
17
reference_url https://access.redhat.com/errata/RHSA-2026:7670
reference_id RHSA-2026:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7670
18
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
19
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
fixed_packages
0
url pkg:npm/undici@6.24.0
purl pkg:npm/undici@6.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0
1
url pkg:npm/undici@7.24.0
purl pkg:npm/undici@7.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0
aliases CVE-2026-1525, GHSA-2mjp-6q6p-2qxm
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n6ew-t7g1-33gn
4
url VCID-pah5-gspe-hbbh
vulnerability_id VCID-pah5-gspe-hbbh
summary 
Use of Insufficiently Random Values in undici
### Impact

[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

### Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

### Workarounds

Do not issue multipart requests to attacker controlled servers.

### References

* https://hackerone.com/reports/2913312
* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-22150
reference_id
reference_type
scores
0
value 0.00605
scoring_system epss
scoring_elements 0.69637
published_at 2026-04-16T12:55:00Z
1
value 0.00605
scoring_system epss
scoring_elements 0.69597
published_at 2026-04-13T12:55:00Z
2
value 0.00605
scoring_system epss
scoring_elements 0.69611
published_at 2026-04-12T12:55:00Z
3
value 0.00605
scoring_system epss
scoring_elements 0.69626
published_at 2026-04-11T12:55:00Z
4
value 0.00605
scoring_system epss
scoring_elements 0.69543
published_at 2026-04-02T12:55:00Z
5
value 0.00605
scoring_system epss
scoring_elements 0.69587
published_at 2026-04-08T12:55:00Z
6
value 0.00605
scoring_system epss
scoring_elements 0.69537
published_at 2026-04-07T12:55:00Z
7
value 0.00605
scoring_system epss
scoring_elements 0.69558
published_at 2026-04-04T12:55:00Z
8
value 0.00605
scoring_system epss
scoring_elements 0.69604
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-22150
2
reference_url https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
5
reference_url https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
6
reference_url https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
7
reference_url https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
8
reference_url https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
9
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
10
reference_url https://hackerone.com/reports/2913312
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/
url https://hackerone.com/reports/2913312
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-22150
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-22150
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2339176
reference_id 2339176
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2339176
13
reference_url https://github.com/advisories/GHSA-c76h-2ccp-4975
reference_id GHSA-c76h-2ccp-4975
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c76h-2ccp-4975
14
reference_url https://access.redhat.com/errata/RHSA-2025:1351
reference_id RHSA-2025:1351
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1351
15
reference_url https://access.redhat.com/errata/RHSA-2025:1443
reference_id RHSA-2025:1443
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1443
16
reference_url https://access.redhat.com/errata/RHSA-2025:1446
reference_id RHSA-2025:1446
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1446
17
reference_url https://access.redhat.com/errata/RHSA-2025:1454
reference_id RHSA-2025:1454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1454
18
reference_url https://access.redhat.com/errata/RHSA-2025:1582
reference_id RHSA-2025:1582
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1582
19
reference_url https://access.redhat.com/errata/RHSA-2025:1611
reference_id RHSA-2025:1611
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1611
20
reference_url https://access.redhat.com/errata/RHSA-2025:1613
reference_id RHSA-2025:1613
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1613
21
reference_url https://access.redhat.com/errata/RHSA-2025:17145
reference_id RHSA-2025:17145
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17145
22
reference_url https://access.redhat.com/errata/RHSA-2025:1931
reference_id RHSA-2025:1931
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1931
23
reference_url https://access.redhat.com/errata/RHSA-2025:2588
reference_id RHSA-2025:2588
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2588
24
reference_url https://access.redhat.com/errata/RHSA-2025:3368
reference_id RHSA-2025:3368
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3368
25
reference_url https://access.redhat.com/errata/RHSA-2025:3374
reference_id RHSA-2025:3374
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3374
26
reference_url https://access.redhat.com/errata/RHSA-2025:3397
reference_id RHSA-2025:3397
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3397
fixed_packages
0
url pkg:npm/undici@6.21.1
purl pkg:npm/undici@6.21.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-ph2p-u33d-8yh3
4
vulnerability VCID-sy2z-sqgk-d7hg
5
vulnerability VCID-z7ac-jr58-gkfm
6
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.1
1
url pkg:npm/undici@7.2.3
purl pkg:npm/undici@7.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-ph2p-u33d-8yh3
4
vulnerability VCID-sy2z-sqgk-d7hg
5
vulnerability VCID-z7ac-jr58-gkfm
6
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.2.3
aliases CVE-2025-22150, GHSA-c76h-2ccp-4975
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pah5-gspe-hbbh
5
url VCID-ph2p-u33d-8yh3
vulnerability_id VCID-ph2p-u33d-8yh3
summary 
Undici has CRLF Injection in undici via `upgrade` option
### Impact

When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r\n`) to:

1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:

```javascript
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
```

### Patches

 Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

### Workarounds

Sanitize the `upgrade` option string before passing to undici:

```javascript
function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1527
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01228
published_at 2026-04-16T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01235
published_at 2026-04-13T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00954
published_at 2026-04-08T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.0095
published_at 2026-04-09T12:55:00Z
4
value 9e-05
scoring_system epss
scoring_elements 0.00946
published_at 2026-04-04T12:55:00Z
5
value 9e-05
scoring_system epss
scoring_elements 0.00934
published_at 2026-04-12T12:55:00Z
6
value 9e-05
scoring_system epss
scoring_elements 0.00938
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1527
2
reference_url https://cna.openjsf.org/security-advisories.html
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/
url https://cna.openjsf.org/security-advisories.html
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
5
reference_url https://hackerone.com/reports/3487198
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/
url https://hackerone.com/reports/3487198
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1527
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1527
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882
reference_id 1130882
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2447141
reference_id 2447141
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2447141
9
reference_url https://github.com/advisories/GHSA-4992-7rv2-5pvq
reference_id GHSA-4992-7rv2-5pvq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4992-7rv2-5pvq
10
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
11
reference_url https://access.redhat.com/errata/RHSA-2026:7670
reference_id RHSA-2026:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7670
12
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
fixed_packages
0
url pkg:npm/undici@6.24.0
purl pkg:npm/undici@6.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0
1
url pkg:npm/undici@7.24.0
purl pkg:npm/undici@7.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0
aliases CVE-2026-1527, GHSA-4992-7rv2-5pvq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ph2p-u33d-8yh3
6
url VCID-sy2z-sqgk-d7hg
vulnerability_id VCID-sy2z-sqgk-d7hg
summary 
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
## Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

## Impact

- Remote denial of service against any Node.js application using undici's WebSocket client
- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
- No application-level mitigation is possible as decompression occurs before message delivery

### Patches

Users should upgrade to fixed versions.

### Workarounds

No workaround are possible.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1526
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04784
published_at 2026-04-02T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04824
published_at 2026-04-07T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04808
published_at 2026-04-04T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04834
published_at 2026-04-12T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04857
published_at 2026-04-11T12:55:00Z
5
value 0.00018
scoring_system epss
scoring_elements 0.0488
published_at 2026-04-09T12:55:00Z
6
value 0.00018
scoring_system epss
scoring_elements 0.04862
published_at 2026-04-08T12:55:00Z
7
value 0.0002
scoring_system epss
scoring_elements 0.05394
published_at 2026-04-13T12:55:00Z
8
value 0.0002
scoring_system epss
scoring_elements 0.05343
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1526
2
reference_url https://cna.openjsf.org/security-advisories.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/
url https://cna.openjsf.org/security-advisories.html
3
reference_url https://datatracker.ietf.org/doc/html/rfc7692
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/
url https://datatracker.ietf.org/doc/html/rfc7692
4
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
6
reference_url https://hackerone.com/reports/3481206
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/
url https://hackerone.com/reports/3481206
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1526
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1526
8
reference_url https://owasp.org/www-community/attacks/Denial_of_Service
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://owasp.org/www-community/attacks/Denial_of_Service
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880
reference_id 1130880
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2447142
reference_id 2447142
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2447142
11
reference_url https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
reference_id GHSA-vrm6-8vpv-qv8q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
12
reference_url https://access.redhat.com/errata/RHSA-2026:5807
reference_id RHSA-2026:5807
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5807
13
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
14
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
15
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
16
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
17
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
18
reference_url https://access.redhat.com/errata/RHSA-2026:7670
reference_id RHSA-2026:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7670
19
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
20
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
fixed_packages
0
url pkg:npm/undici@6.24.0
purl pkg:npm/undici@6.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0
1
url pkg:npm/undici@7.24.0
purl pkg:npm/undici@7.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0
aliases CVE-2026-1526, GHSA-vrm6-8vpv-qv8q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sy2z-sqgk-d7hg
7
url VCID-u8t3-4awy-k3fm
vulnerability_id VCID-u8t3-4awy-k3fm
summary 
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
### Impact

Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.

### Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.
Fixes has been released in v5.28.4 and v6.11.1.

### Workarounds

use `fetch()` or disable `maxRedirections`.

### References

Linzi Shang reported this.

* https://hackerone.com/reports/2408074
* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-30260
reference_id
reference_type
scores
0
value 0.00177
scoring_system epss
scoring_elements 0.3936
published_at 2026-04-16T12:55:00Z
1
value 0.00177
scoring_system epss
scoring_elements 0.39307
published_at 2026-04-13T12:55:00Z
2
value 0.00177
scoring_system epss
scoring_elements 0.39326
published_at 2026-04-12T12:55:00Z
3
value 0.00177
scoring_system epss
scoring_elements 0.39365
published_at 2026-04-11T12:55:00Z
4
value 0.00177
scoring_system epss
scoring_elements 0.39353
published_at 2026-04-09T12:55:00Z
5
value 0.00177
scoring_system epss
scoring_elements 0.39336
published_at 2026-04-08T12:55:00Z
6
value 0.00177
scoring_system epss
scoring_elements 0.39367
published_at 2026-04-04T12:55:00Z
7
value 0.00177
scoring_system epss
scoring_elements 0.39281
published_at 2026-04-07T12:55:00Z
8
value 0.00177
scoring_system epss
scoring_elements 0.39344
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-30260
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
5
reference_url https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
6
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
7
reference_url https://hackerone.com/reports/2408074
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/2408074
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30260
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-30260
12
reference_url https://security.netapp.com/advisory/ntap-20240905-0008
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240905-0008
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2273522
reference_id 2273522
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2273522
14
reference_url https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
reference_id GHSA-m4v8-wqvr-p9f7
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
reference_id HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
reference_id NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
reference_id P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
18
reference_url https://access.redhat.com/errata/RHSA-2024:6667
reference_id RHSA-2024:6667
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6667
fixed_packages
0
url pkg:npm/undici@6.11.1
purl pkg:npm/undici@6.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-pah5-gspe-hbbh
4
vulnerability VCID-ph2p-u33d-8yh3
5
vulnerability VCID-sy2z-sqgk-d7hg
6
vulnerability VCID-z7ac-jr58-gkfm
7
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1
aliases CVE-2024-30260, GHSA-m4v8-wqvr-p9f7
risk_score 1.8
exploitability 0.5
weighted_severity 3.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u8t3-4awy-k3fm
8
url VCID-xx5u-7mmp-akfs
vulnerability_id VCID-xx5u-7mmp-akfs
summary 
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
### Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. 

### Patches

This is patched in v5.28.3 and v6.6.1

### Workarounds

There are no known workarounds.

### References

- https://fetch.spec.whatwg.org/#authentication-entries
- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24758.json
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24758.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24758
reference_id
reference_type
scores
0
value 0.00278
scoring_system epss
scoring_elements 0.51277
published_at 2026-04-16T12:55:00Z
1
value 0.00278
scoring_system epss
scoring_elements 0.51195
published_at 2026-04-02T12:55:00Z
2
value 0.00278
scoring_system epss
scoring_elements 0.51221
published_at 2026-04-04T12:55:00Z
3
value 0.00278
scoring_system epss
scoring_elements 0.51179
published_at 2026-04-07T12:55:00Z
4
value 0.00278
scoring_system epss
scoring_elements 0.51234
published_at 2026-04-08T12:55:00Z
5
value 0.00278
scoring_system epss
scoring_elements 0.51231
published_at 2026-04-09T12:55:00Z
6
value 0.00278
scoring_system epss
scoring_elements 0.51275
published_at 2026-04-11T12:55:00Z
7
value 0.00278
scoring_system epss
scoring_elements 0.51254
published_at 2026-04-12T12:55:00Z
8
value 0.00278
scoring_system epss
scoring_elements 0.5124
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24758
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/
url https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
5
reference_url https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458
6
reference_url https://github.com/nodejs/undici/releases/tag/v5.28.3
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici/releases/tag/v5.28.3
7
reference_url https://github.com/nodejs/undici/releases/tag/v6.6.1
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici/releases/tag/v6.6.1
8
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24758
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24758
10
reference_url https://security.netapp.com/advisory/ntap-20240419-0007
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240419-0007
11
reference_url http://www.openwall.com/lists/oss-security/2024/03/11/1
reference_id
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/
url http://www.openwall.com/lists/oss-security/2024/03/11/1
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064312
reference_id 1064312
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064312
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2264730
reference_id 2264730
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2264730
14
reference_url https://github.com/advisories/GHSA-3787-6prv-h9w3
reference_id GHSA-3787-6prv-h9w3
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3787-6prv-h9w3
15
reference_url https://security.netapp.com/advisory/ntap-20240419-0007/
reference_id ntap-20240419-0007
reference_type
scores
0
value 3.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/
url https://security.netapp.com/advisory/ntap-20240419-0007/
fixed_packages
0
url pkg:npm/undici@6.6.1
purl pkg:npm/undici@6.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-pah5-gspe-hbbh
4
vulnerability VCID-ph2p-u33d-8yh3
5
vulnerability VCID-sy2z-sqgk-d7hg
6
vulnerability VCID-u8t3-4awy-k3fm
7
vulnerability VCID-z653-vqsc-euer
8
vulnerability VCID-z7ac-jr58-gkfm
9
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1
aliases CVE-2024-24758, GHSA-3787-6prv-h9w3
risk_score 1.8
exploitability 0.5
weighted_severity 3.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xx5u-7mmp-akfs
9
url VCID-z653-vqsc-euer
vulnerability_id VCID-z653-vqsc-euer
summary 
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
### Impact

If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.

### Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.
Fixes has been released in v5.28.4 and v6.11.1.


### Workarounds

Ensure that `integrity` cannot be tampered with.

### References

https://hackerone.com/reports/2377760
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-30261
reference_id
reference_type
scores
0
value 0.0006
scoring_system epss
scoring_elements 0.18619
published_at 2026-04-16T12:55:00Z
1
value 0.0006
scoring_system epss
scoring_elements 0.18671
published_at 2026-04-13T12:55:00Z
2
value 0.0006
scoring_system epss
scoring_elements 0.18721
published_at 2026-04-12T12:55:00Z
3
value 0.0006
scoring_system epss
scoring_elements 0.18768
published_at 2026-04-11T12:55:00Z
4
value 0.0006
scoring_system epss
scoring_elements 0.18763
published_at 2026-04-09T12:55:00Z
5
value 0.0006
scoring_system epss
scoring_elements 0.18709
published_at 2026-04-08T12:55:00Z
6
value 0.0006
scoring_system epss
scoring_elements 0.1863
published_at 2026-04-07T12:55:00Z
7
value 0.0006
scoring_system epss
scoring_elements 0.18909
published_at 2026-04-04T12:55:00Z
8
value 0.0006
scoring_system epss
scoring_elements 0.18856
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-30261
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
5
reference_url https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
6
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
7
reference_url https://hackerone.com/reports/2377760
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://hackerone.com/reports/2377760
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30261
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-30261
12
reference_url https://security.netapp.com/advisory/ntap-20240905-0008
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240905-0008
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2273519
reference_id 2273519
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2273519
14
reference_url https://github.com/advisories/GHSA-9qxr-qj54-h672
reference_id GHSA-9qxr-qj54-h672
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9qxr-qj54-h672
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
reference_id HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
reference_id NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
reference_id P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
18
reference_url https://access.redhat.com/errata/RHSA-2024:6667
reference_id RHSA-2024:6667
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6667
19
reference_url https://access.redhat.com/errata/RHSA-2025:1931
reference_id RHSA-2025:1931
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1931
fixed_packages
0
url pkg:npm/undici@6.11.1
purl pkg:npm/undici@6.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1294-r4v2-3ud7
1
vulnerability VCID-hgd1-7u6j-p7dh
2
vulnerability VCID-n6ew-t7g1-33gn
3
vulnerability VCID-pah5-gspe-hbbh
4
vulnerability VCID-ph2p-u33d-8yh3
5
vulnerability VCID-sy2z-sqgk-d7hg
6
vulnerability VCID-z7ac-jr58-gkfm
7
vulnerability VCID-zb3h-efqz-dff3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1
aliases CVE-2024-30261, GHSA-9qxr-qj54-h672
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z653-vqsc-euer
10
url VCID-z7ac-jr58-gkfm
vulnerability_id VCID-z7ac-jr58-gkfm
summary 
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
### Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. 

### Patches


 Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

### Workarounds

There are no workarounds.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1528
reference_id
reference_type
scores
0
value 0.00128
scoring_system epss
scoring_elements 0.32332
published_at 2026-04-02T12:55:00Z
1
value 0.00128
scoring_system epss
scoring_elements 0.32194
published_at 2026-04-07T12:55:00Z
2
value 0.00128
scoring_system epss
scoring_elements 0.3237
published_at 2026-04-04T12:55:00Z
3
value 0.00128
scoring_system epss
scoring_elements 0.32234
published_at 2026-04-12T12:55:00Z
4
value 0.00128
scoring_system epss
scoring_elements 0.32272
published_at 2026-04-11T12:55:00Z
5
value 0.00128
scoring_system epss
scoring_elements 0.32271
published_at 2026-04-09T12:55:00Z
6
value 0.00128
scoring_system epss
scoring_elements 0.32243
published_at 2026-04-08T12:55:00Z
7
value 0.0014
scoring_system epss
scoring_elements 0.34129
published_at 2026-04-13T12:55:00Z
8
value 0.0014
scoring_system epss
scoring_elements 0.34167
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1528
2
reference_url https://cna.openjsf.org/security-advisories.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/
url https://cna.openjsf.org/security-advisories.html
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
5
reference_url https://hackerone.com/reports/3537648
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/
url https://hackerone.com/reports/3537648
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1528
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1528
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883
reference_id 1130883
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2447145
reference_id 2447145
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2447145
9
reference_url https://github.com/advisories/GHSA-f269-vfmq-vjvj
reference_id GHSA-f269-vfmq-vjvj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f269-vfmq-vjvj
10
reference_url https://access.redhat.com/errata/RHSA-2026:5807
reference_id RHSA-2026:5807
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5807
11
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
12
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
13
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
14
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
15
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
16
reference_url https://access.redhat.com/errata/RHSA-2026:7670
reference_id RHSA-2026:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7670
17
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
18
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
fixed_packages
0
url pkg:npm/undici@6.24.0
purl pkg:npm/undici@6.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0
1
url pkg:npm/undici@7.24.0
purl pkg:npm/undici@7.24.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0
aliases CVE-2026-1528, GHSA-f269-vfmq-vjvj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z7ac-jr58-gkfm
11
url VCID-zb3h-efqz-dff3
vulnerability_id VCID-zb3h-efqz-dff3
summary 
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
### Impact

The `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

### Patches

Upgrade to 7.18.2 or 6.23.0.

### Workarounds

It is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually.

### References

* https://hackerone.com/reports/3456148
* https://github.com/advisories/GHSA-gm62-xv2j-4w53
* https://curl.se/docs/CVE-2022-32206.html
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22036
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05385
published_at 2026-04-16T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05433
published_at 2026-04-13T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05439
published_at 2026-04-12T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05453
published_at 2026-04-11T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05482
published_at 2026-04-09T12:55:00Z
5
value 0.0002
scoring_system epss
scoring_elements 0.0546
published_at 2026-04-08T12:55:00Z
6
value 0.0002
scoring_system epss
scoring_elements 0.05425
published_at 2026-04-07T12:55:00Z
7
value 0.0002
scoring_system epss
scoring_elements 0.05386
published_at 2026-04-02T12:55:00Z
8
value 0.0002
scoring_system epss
scoring_elements 0.05418
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22036
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/undici
4
reference_url https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/
url https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/
url https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22036
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22036
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679
reference_id 1125679
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2429741
reference_id 2429741
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2429741
9
reference_url https://github.com/advisories/GHSA-g9mf-h72j-4rw9
reference_id GHSA-g9mf-h72j-4rw9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fixed_packages
0
url pkg:npm/undici@6.23.0
purl pkg:npm/undici@6.23.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hgd1-7u6j-p7dh
1
vulnerability VCID-n6ew-t7g1-33gn
2
vulnerability VCID-ph2p-u33d-8yh3
3
vulnerability VCID-sy2z-sqgk-d7hg
4
vulnerability VCID-z7ac-jr58-gkfm
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.23.0
1
url pkg:npm/undici@7.18.2
purl pkg:npm/undici@7.18.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hgd1-7u6j-p7dh
1
vulnerability VCID-n6ew-t7g1-33gn
2
vulnerability VCID-ph2p-u33d-8yh3
3
vulnerability VCID-sy2z-sqgk-d7hg
4
vulnerability VCID-vdca-exd1-rfce
5
vulnerability VCID-z7ac-jr58-gkfm
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.2
aliases CVE-2026-22036, GHSA-g9mf-h72j-4rw9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zb3h-efqz-dff3
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.1