Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/660993?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/660993?format=api", "purl": "pkg:npm/undici@5.26.4", "type": "npm", "namespace": "", "name": "undici", "version": "5.26.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.24.0", "latest_non_vulnerable_version": "7.24.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30254?format=api", "vulnerability_id": "VCID-1294-r4v2-3ud7", "summary": "undici Denial of Service attack via bad certificate data\n### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47279", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14445", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14571", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14641", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14452", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.1454", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14593", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14541", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14502", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47279" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25" }, { "reference_url": "https://github.com/nodejs/undici/issues/3895", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/issues/3895" }, { "reference_url": "https://github.com/nodejs/undici/pull/4088", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/pull/4088" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860", "reference_id": "1105860", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366632", "reference_id": "2366632", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366632" }, { "reference_url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3", "reference_id": "GHSA-cxrh-j4jr-qwg3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71015?format=api", "purl": "pkg:npm/undici@5.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.29.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/71016?format=api", "purl": "pkg:npm/undici@6.21.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/71017?format=api", "purl": "pkg:npm/undici@7.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.5.0" } ], "aliases": [ "CVE-2025-47279", "GHSA-cxrh-j4jr-qwg3" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1294-r4v2-3ud7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24973?format=api", "vulnerability_id": "VCID-hgd1-7u6j-p7dh", "summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation\n### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40462", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40499", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40478", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40467", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40417", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40494", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40468", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42413", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2229" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://datatracker.ietf.org/doc/html/rfc7692", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8" }, { "reference_url": "https://hackerone.com/reports/3487486", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://hackerone.com/reports/3487486" }, { "reference_url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/" } ], "url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884", "reference_id": "1130884", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143", "reference_id": "2447143", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143" }, { "reference_url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "reference_id": "GHSA-v9p9-hfj2-hcw8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66093?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65142?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-2229", "GHSA-v9p9-hfj2-hcw8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hgd1-7u6j-p7dh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24956?format=api", "vulnerability_id": "VCID-n6ew-t7g1-33gn", "summary": "Undici has an HTTP Request/Response Smuggling issue\n### Impact\n\nUndici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP/1.1 requests with multiple conflicting `Content-Length` values on the wire.\n\n**Who is impacted:**\n - Applications using `undici.request()`, `undici.Client`, or similar low-level APIs with headers passed as flat arrays\n - Applications that accept user-controlled header names without case-normalization\n\n**Potential consequences:**\n - **Denial of Service**: Strict HTTP parsers (proxies, servers) will reject requests with duplicate `Content-Length` headers (400 Bad Request)\n - **HTTP Request Smuggling**: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\n If upgrading is not immediately possible:\n\n 1. **Validate header names**: Ensure no duplicate `Content-Length` headers (case-insensitive) are present before passing headers to undici\n 2. **Use object format**: Pass headers as a plain object (`{ 'content-length': '123' }`) rather than an array, which naturally deduplicates by key\n 3. **Sanitize user input**: If headers originate from user input, normalize header names to lowercase and reject duplicates", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03742", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03754", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03735", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03756", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03795", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03771", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03768", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04453", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://cwe.mitre.org/data/definitions/444.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cwe.mitre.org/data/definitions/444.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://hackerone.com/reports/3556037", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://hackerone.com/reports/3556037" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525" }, { "reference_url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879", "reference_id": "1130879", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "reference_id": "2447144", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144" }, { "reference_url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "GHSA-2mjp-6q6p-2qxm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66093?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65142?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1525", "GHSA-2mjp-6q6p-2qxm" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n6ew-t7g1-33gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25928?format=api", "vulnerability_id": "VCID-pah5-gspe-hbbh", "summary": "Use of Insufficiently Random Values in undici\n### Impact\n\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\n\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\n\n### Patches\n\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\n\n### Workarounds\n\nDo not issue multipart requests to attacker controlled servers.\n\n### References\n\n* https://hackerone.com/reports/2913312\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69597", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69543", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69558", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69537", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69587", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69604", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69626", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00605", "scoring_system": "epss", "scoring_elements": "0.69611", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22150" }, { "reference_url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113" }, { "reference_url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0" }, { "reference_url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a" }, { "reference_url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975" }, { "reference_url": "https://hackerone.com/reports/2913312", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/" } ], "url": "https://hackerone.com/reports/2913312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339176", "reference_id": "2339176", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339176" }, { "reference_url": "https://github.com/advisories/GHSA-c76h-2ccp-4975", "reference_id": "GHSA-c76h-2ccp-4975", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c76h-2ccp-4975" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1351", "reference_id": "RHSA-2025:1351", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1351" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1443", "reference_id": "RHSA-2025:1443", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1443" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1446", "reference_id": "RHSA-2025:1446", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1446" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1454", "reference_id": "RHSA-2025:1454", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1454" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1582", "reference_id": "RHSA-2025:1582", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1582" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1611", "reference_id": "RHSA-2025:1611", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1611" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1613", "reference_id": "RHSA-2025:1613", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1613" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:17145", "reference_id": "RHSA-2025:17145", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:17145" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1931", "reference_id": "RHSA-2025:1931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1931" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2588", "reference_id": "RHSA-2025:2588", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2588" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3368", "reference_id": "RHSA-2025:3368", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3368" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3374", "reference_id": "RHSA-2025:3374", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3374" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3397", "reference_id": "RHSA-2025:3397", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3397" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69245?format=api", "purl": "pkg:npm/undici@5.28.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/69246?format=api", "purl": "pkg:npm/undici@6.21.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.21.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69247?format=api", "purl": "pkg:npm/undici@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.2.3" } ], "aliases": [ "CVE-2025-22150", "GHSA-c76h-2ccp-4975" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pah5-gspe-hbbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24667?format=api", "vulnerability_id": "VCID-ph2p-u33d-8yh3", "summary": "Undici has CRLF Injection in undici via `upgrade` option\n### Impact\n\nWhen an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\\r\\n`) to:\n\n1. Inject arbitrary HTTP headers\n2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)\n\nThe vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:\n\n```javascript\n// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}\n```\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nSanitize the `upgrade` option string before passing to undici:\n\n```javascript\nfunction sanitizeUpgrade(value) {\n if (/[\\r\\n]/.test(value)) {\n throw new Error('Invalid upgrade value')\n }\n return value\n}\n\nclient.request({\n upgrade: sanitizeUpgrade(userInput)\n})\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01235", "published_at": "2026-04-13T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00938", "published_at": "2026-04-11T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00954", "published_at": "2026-04-08T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.0095", "published_at": "2026-04-09T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00946", "published_at": "2026-04-04T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00934", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://hackerone.com/reports/3487198", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://hackerone.com/reports/3487198" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882", "reference_id": "1130882", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141", "reference_id": "2447141", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141" }, { "reference_url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "GHSA-4992-7rv2-5pvq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66093?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65142?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1527", "GHSA-4992-7rv2-5pvq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ph2p-u33d-8yh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23250?format=api", "vulnerability_id": "VCID-sy2z-sqgk-d7hg", "summary": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression\n## Description\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\n\n## Impact\n\n- Remote denial of service against any Node.js application using undici's WebSocket client\n- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more\n- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits\n- No application-level mitigation is possible as decompression occurs before message delivery\n\n### Patches\n\nUsers should upgrade to fixed versions.\n\n### Workarounds\n\nNo workaround are possible.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04834", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04857", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0488", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04862", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04824", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04808", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04784", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05394", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://datatracker.ietf.org/doc/html/rfc7692", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://hackerone.com/reports/3481206", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://hackerone.com/reports/3481206" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526" }, { "reference_url": "https://owasp.org/www-community/attacks/Denial_of_Service", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/Denial_of_Service" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880", "reference_id": "1130880", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "reference_id": "2447142", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142" }, { "reference_url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "GHSA-vrm6-8vpv-qv8q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66093?format=api", "purl": "pkg:npm/undici@6.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.24.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65142?format=api", "purl": "pkg:npm/undici@7.24.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.24.0" } ], "aliases": [ "CVE-2026-1526", "GHSA-vrm6-8vpv-qv8q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sy2z-sqgk-d7hg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12661?format=api", "vulnerability_id": "VCID-u8t3-4awy-k3fm", "summary": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline\n### Impact\n\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.\n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.\nFixes has been released in v5.28.4 and v6.11.1.\n\n### Workarounds\n\nuse `fetch()` or disable `maxRedirections`.\n\n### References\n\nLinzi Shang reported this.\n\n* https://hackerone.com/reports/2408074\n* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30260.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30260", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.3936", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39307", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39326", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39365", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39353", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39336", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39367", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39281", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39344", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30260" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f" }, { "reference_url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7" }, { "reference_url": "https://hackerone.com/reports/2408074", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/2408074" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273522", "reference_id": "2273522", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273522" }, { "reference_url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7", "reference_id": "GHSA-m4v8-wqvr-p9f7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "reference_id": "HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "reference_id": "NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "reference_id": "P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:43:37Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6667", "reference_id": "RHSA-2024:6667", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6667" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45184?format=api", "purl": "pkg:npm/undici@5.28.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/45185?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30260", "GHSA-m4v8-wqvr-p9f7" ], "risk_score": 1.8, "exploitability": "0.5", "weighted_severity": "3.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u8t3-4awy-k3fm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15452?format=api", "vulnerability_id": "VCID-xx5u-7mmp-akfs", "summary": "Undici proxy-authorization header not cleared on cross-origin redirect in fetch\n### Impact\n\nUndici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. \n\n### Patches\n\nThis is patched in v5.28.3 and v6.6.1\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24758.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24758.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24758", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51277", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51195", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51221", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51179", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51234", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51231", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51275", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51254", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.5124", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24758" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/" } ], "url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef" }, { "reference_url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v5.28.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici/releases/tag/v5.28.3" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v6.6.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24758", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24758" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0007" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064312", "reference_id": "1064312", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064312" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264730", "reference_id": "2264730", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264730" }, { "reference_url": "https://github.com/advisories/GHSA-3787-6prv-h9w3", "reference_id": "GHSA-3787-6prv-h9w3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3787-6prv-h9w3" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0007/", "reference_id": "ntap-20240419-0007", "reference_type": "", "scores": [ { "value": "3.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:56:27Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0007/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54488?format=api", "purl": "pkg:npm/undici@5.28.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/54369?format=api", "purl": "pkg:npm/undici@6.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1" } ], "aliases": [ "CVE-2024-24758", "GHSA-3787-6prv-h9w3" ], "risk_score": 1.8, "exploitability": "0.5", "weighted_severity": "3.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xx5u-7mmp-akfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12581?format=api", "vulnerability_id": "VCID-z653-vqsc-euer", "summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect\n### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30261.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30261", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18619", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18671", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18721", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18768", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18763", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18709", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.1863", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18909", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18856", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-30261" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055" }, { "reference_url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672" }, { "reference_url": "https://hackerone.com/reports/2377760", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://hackerone.com/reports/2377760" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240905-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240905-0008" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273519", "reference_id": "2273519", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273519" }, { "reference_url": "https://github.com/advisories/GHSA-9qxr-qj54-h672", "reference_id": "GHSA-9qxr-qj54-h672", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9qxr-qj54-h672" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "reference_id": "HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "reference_id": "NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "reference_id": "P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:04:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6667", "reference_id": "RHSA-2024:6667", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6667" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1931", "reference_id": "RHSA-2025:1931", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1931" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45184?format=api", "purl": "pkg:npm/undici@5.28.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/45185?format=api", "purl": "pkg:npm/undici@6.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1" } ], "aliases": [ "CVE-2024-30261", "GHSA-9qxr-qj54-h672" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z653-vqsc-euer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20437?format=api", "vulnerability_id": "VCID-zb3h-efqz-dff3", "summary": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion\n### Impact\n\nThe `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.\n\nHowever, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.\n\n### Patches\n\nUpgrade to 7.18.2 or 6.23.0.\n\n### Workarounds\n\nIt is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually.\n\n### References\n\n* https://hackerone.com/reports/3456148\n* https://github.com/advisories/GHSA-gm62-xv2j-4w53\n* https://curl.se/docs/CVE-2022-32206.html", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22036.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22036", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05433", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05439", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05453", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05386", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0546", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05425", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05418", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05482", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22036" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/" } ], "url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:17:52Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679", "reference_id": "1125679", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429741", "reference_id": "2429741", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429741" }, { "reference_url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "reference_id": "GHSA-g9mf-h72j-4rw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62026?format=api", "purl": "pkg:npm/undici@6.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.23.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/62025?format=api", "purl": "pkg:npm/undici@7.18.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-vdca-exd1-rfce" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@7.18.2" } ], "aliases": [ "CVE-2026-22036", "GHSA-g9mf-h72j-4rw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zb3h-efqz-dff3" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.26.4" }