Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/932711?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "type": "deb", "namespace": "debian", "name": "node-undici", "version": "0", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.6.1+dfsg1+~cs18.9.16-1", "latest_non_vulnerable_version": "7.24.6+dfsg+~cs3.2.0-2", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15379?format=api", "vulnerability_id": "VCID-8ruv-6g79-c7ex", "summary": "fetch(url) leads to a memory leak in undici\n### Impact\n\nCalling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. \n\n### Patches\n\nPatched in v6.6.1\n\n### Workarounds\n\nMake sure to always consume the incoming body.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24750.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24750.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24750", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54596", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54617", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54638", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54655", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54643", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54648", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54604", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54628", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57569", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57595", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57528", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57591", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24750" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/" } ], "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v6.6.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24750", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24750" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0006", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0006" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264728", "reference_id": "2264728", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264728" }, { "reference_url": "https://github.com/advisories/GHSA-9f24-jqhm-jfcw", "reference_id": "GHSA-9f24-jqhm-jfcw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9f24-jqhm-jfcw" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0006/", "reference_id": "ntap-20240419-0006", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:30:24Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0006/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932704?format=api", "purl": "pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-vdca-exd1-rfce" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.3.0%252Bdfsg1%252B~cs24.12.11-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932702?format=api", "purl": "pkg:deb/debian/node-undici@7.18.2%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-vdca-exd1-rfce" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.18.2%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2024-24750", "GHSA-9f24-jqhm-jfcw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ruv-6g79-c7ex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24956?format=api", "vulnerability_id": "VCID-n6ew-t7g1-33gn", "summary": "Undici has an HTTP Request/Response Smuggling issue\n### Impact\n\nUndici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP/1.1 requests with multiple conflicting `Content-Length` values on the wire.\n\n**Who is impacted:**\n - Applications using `undici.request()`, `undici.Client`, or similar low-level APIs with headers passed as flat arrays\n - Applications that accept user-controlled header names without case-normalization\n\n**Potential consequences:**\n - **Denial of Service**: Strict HTTP parsers (proxies, servers) will reject requests with duplicate `Content-Length` headers (400 Bad Request)\n - **HTTP Request Smuggling**: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\n If upgrading is not immediately possible:\n\n 1. **Validate header names**: Ensure no duplicate `Content-Length` headers (case-insensitive) are present before passing headers to undici\n 2. **Use object format**: Pass headers as a plain object (`{ 'content-length': '123' }`) rather than an array, which naturally deduplicates by key\n 3. **Sanitize user input**: If headers originate from user input, normalize header names to lowercase and reject duplicates", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1525.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03735", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03756", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03795", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03771", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03768", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03754", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03742", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04607", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04453", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04422", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04431", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04569", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1525" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://cwe.mitre.org/data/definitions/444.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://cwe.mitre.org/data/definitions/444.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://hackerone.com/reports/3556037", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://hackerone.com/reports/3556037" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525" }, { "reference_url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:44:24Z/" } ], "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879", "reference_id": "1130879", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130879" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "reference_id": "2447144", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144" }, { "reference_url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "reference_id": "GHSA-2mjp-6q6p-2qxm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932713?format=api", "purl": "pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-1525", "GHSA-2mjp-6q6p-2qxm" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n6ew-t7g1-33gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24667?format=api", "vulnerability_id": "VCID-ph2p-u33d-8yh3", "summary": "Undici has CRLF Injection in undici via `upgrade` option\n### Impact\n\nWhen an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\\r\\n`) to:\n\n1. Inject arbitrary HTTP headers\n2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)\n\nThe vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:\n\n```javascript\n// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}\n```\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nSanitize the `upgrade` option string before passing to undici:\n\n```javascript\nfunction sanitizeUpgrade(value) {\n if (/[\\r\\n]/.test(value)) {\n throw new Error('Invalid upgrade value')\n }\n return value\n}\n\nclient.request({\n upgrade: sanitizeUpgrade(userInput)\n})\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1527.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01321", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01314", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01241", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01228", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01235", "published_at": "2026-04-13T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00946", "published_at": "2026-04-04T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.0095", "published_at": "2026-04-09T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00954", "published_at": "2026-04-08T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00938", "published_at": "2026-04-11T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00934", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1527" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://hackerone.com/reports/3487198", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:05:24Z/" } ], "url": "https://hackerone.com/reports/3487198" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882", "reference_id": "1130882", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141", "reference_id": "2447141", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447141" }, { "reference_url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "reference_id": "GHSA-4992-7rv2-5pvq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932713?format=api", "purl": "pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-1527", "GHSA-4992-7rv2-5pvq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ph2p-u33d-8yh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17894?format=api", "vulnerability_id": "VCID-rjwu-g5e6-63f2", "summary": "Undici vulnerable to data leak when using response.arrayBuffer()\n### Impact\n\nDepending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process.\n\n### Patches\n\nThis has been patched in v6.19.2.\n\n### Workarounds\n\nThere are no known workaround.\n\n### References\n\nhttps://github.com/nodejs/undici/issues/3337\nhttps://github.com/nodejs/undici/issues/3328\nhttps://github.com/nodejs/undici/pull/3338\nhttps://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38372", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44947", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44961", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44909", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44967", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44998", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45005", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44954", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44951", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44983", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.44962", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.4566", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.45729", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38372" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T20:29:36Z/" } ], "url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36" }, { "reference_url": "https://github.com/nodejs/undici/issues/3328", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T20:29:36Z/" } ], "url": "https://github.com/nodejs/undici/issues/3328" }, { "reference_url": "https://github.com/nodejs/undici/issues/3337", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T20:29:36Z/" } ], "url": "https://github.com/nodejs/undici/issues/3337" }, { "reference_url": "https://github.com/nodejs/undici/pull/3338", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T20:29:36Z/" } ], "url": "https://github.com/nodejs/undici/pull/3338" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T20:29:36Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38372", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38372" }, { "reference_url": "https://github.com/advisories/GHSA-3g92-w8c5-73pq", "reference_id": "GHSA-3g92-w8c5-73pq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3g92-w8c5-73pq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932704?format=api", "purl": "pkg:deb/debian/node-undici@7.3.0%2Bdfsg1%2B~cs24.12.11-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-vdca-exd1-rfce" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.3.0%252Bdfsg1%252B~cs24.12.11-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932702?format=api", "purl": "pkg:deb/debian/node-undici@7.18.2%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-vdca-exd1-rfce" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.18.2%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2024-38372", "GHSA-3g92-w8c5-73pq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rjwu-g5e6-63f2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23250?format=api", "vulnerability_id": "VCID-sy2z-sqgk-d7hg", "summary": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression\n## Description\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\n\n## Impact\n\n- Remote denial of service against any Node.js application using undici's WebSocket client\n- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more\n- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits\n- No application-level mitigation is possible as decompression occurs before message delivery\n\n### Patches\n\nUsers should upgrade to fixed versions.\n\n### Workarounds\n\nNo workaround are possible.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04784", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04857", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0488", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04862", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04824", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04808", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04834", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05508", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05345", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05343", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05394", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05545", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1526" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://datatracker.ietf.org/doc/html/rfc7692", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://hackerone.com/reports/3481206", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/" } ], "url": "https://hackerone.com/reports/3481206" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526" }, { "reference_url": "https://owasp.org/www-community/attacks/Denial_of_Service", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/Denial_of_Service" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880", "reference_id": "1130880", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "reference_id": "2447142", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142" }, { "reference_url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "reference_id": "GHSA-vrm6-8vpv-qv8q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932713?format=api", "purl": "pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-1526", "GHSA-vrm6-8vpv-qv8q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sy2z-sqgk-d7hg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22518?format=api", "vulnerability_id": "VCID-vdca-exd1-rfce", "summary": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS\n## Impact\nThis is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when `interceptors.deduplicate()` is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\n## Patches\n\nThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.\n\n## Workarounds\nIf upgrading immediately is not possible:\n\n- Disable `interceptors.deduplicate()` for affected clients/routes.\n- Use `skipHeaderNames` with a marker header to force high-risk requests to bypass deduplication.\n- Avoid concurrent identical requests to untrusted endpoints that may return very large/chunked bodies.\n- Apply upstream/proxy response-size and timeout limits.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2581.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2581.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04325", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04353", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04366", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04293", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04373", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04357", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04314", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05137", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05043", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04985", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0499", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05164", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2581" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h" }, { "reference_url": "https://hackerone.com/reports/3513473", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:49Z/" } ], "url": "https://hackerone.com/reports/3513473" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130885", "reference_id": "1130885", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130885" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447140", "reference_id": "2447140", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447140" }, { "reference_url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h", "reference_id": "GHSA-phc3-fgpg-7m6h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932713?format=api", "purl": "pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-2581", "GHSA-phc3-fgpg-7m6h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vdca-exd1-rfce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24694?format=api", "vulnerability_id": "VCID-z7ac-jr58-gkfm", "summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client\n### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1528.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1528", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.3237", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32272", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32271", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32243", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32194", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32332", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.32234", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34118", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34153", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34167", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34129", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33745", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1528" }, { "reference_url": "https://cna.openjsf.org/security-advisories.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://cna.openjsf.org/security-advisories.html" }, { "reference_url": "https://github.com/nodejs/undici", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nodejs/undici" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj" }, { "reference_url": "https://hackerone.com/reports/3537648", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:03:59Z/" } ], "url": "https://hackerone.com/reports/3537648" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883", "reference_id": "1130883", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130883" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145", "reference_id": "2447145", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145" }, { "reference_url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "reference_id": "GHSA-f269-vfmq-vjvj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7670", "reference_id": "RHSA-2026:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9742", "reference_id": "RHSA-2026:9742", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9742" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/932711?format=api", "purl": "pkg:deb/debian/node-undici@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932700?format=api", "purl": "pkg:deb/debian/node-undici@5.15.0%2Bdfsg1%2B~cs20.10.9.3-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1294-r4v2-3ud7" }, { "vulnerability": "VCID-g9bm-61bn-ryg5" }, { "vulnerability": "VCID-hgd1-7u6j-p7dh" }, { "vulnerability": "VCID-n6ew-t7g1-33gn" }, { "vulnerability": "VCID-pah5-gspe-hbbh" }, { "vulnerability": "VCID-ph2p-u33d-8yh3" }, { "vulnerability": "VCID-sy2z-sqgk-d7hg" }, { "vulnerability": "VCID-u8t3-4awy-k3fm" }, { "vulnerability": "VCID-xx5u-7mmp-akfs" }, { "vulnerability": "VCID-z653-vqsc-euer" }, { "vulnerability": "VCID-z7ac-jr58-gkfm" }, { "vulnerability": "VCID-zb3h-efqz-dff3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@5.15.0%252Bdfsg1%252B~cs20.10.9.3-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932713?format=api", "purl": "pkg:deb/debian/node-undici@7.24.5%2Bdfsg%2B~cs3.2.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.5%252Bdfsg%252B~cs3.2.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/932703?format=api", "purl": "pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-1528", "GHSA-f269-vfmq-vjvj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z7ac-jr58-gkfm" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@0%3Fdistro=trixie" }