VulnerableCode Package Details - pkg:deb/debian/node-undici@5.28.4%2Bdfsg1%2B~cs23.12.11-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-u8t3-4awy-k3fm	Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline ### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3	CVE-2024-30260 GHSA-m4v8-wqvr-p9f7
VCID-xx5u-7mmp-akfs	Undici proxy-authorization header not cleared on cross-origin redirect in fetch ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g	CVE-2024-24758 GHSA-3787-6prv-h9w3
VCID-z653-vqsc-euer	Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect ### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760	CVE-2024-30261 GHSA-9qxr-qj54-h672

Vulnerability

Summary

Aliases

VCID-u8t3-4awy-k3fm

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline ### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

CVE-2024-30260
GHSA-m4v8-wqvr-p9f7

VCID-xx5u-7mmp-akfs

Undici proxy-authorization header not cleared on cross-origin redirect in fetch ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

CVE-2024-24758
GHSA-3787-6prv-h9w3

VCID-z653-vqsc-euer

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect ### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760

CVE-2024-30261
GHSA-9qxr-qj54-h672

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T07:47:18.032557+00:00	Debian Importer	Fixing	VCID-z653-vqsc-euer	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:17.985910+00:00	Debian Importer	Fixing	VCID-u8t3-4awy-k3fm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:17.935597+00:00	Debian Importer	Fixing	VCID-xx5u-7mmp-akfs	https://security-tracker.debian.org/tracker/data/json	38.1.0