VulnerableCode Package Details - pkg:deb/debian/node-undici@5.8.0%2Bdfsg1%2B~cs18.9.16-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-wqk1-vxt3-j3bb	undici before v5.8.0 vulnerable to CRLF injection in request headers ### Impact It is possible to inject CRLF sequences into request headers in Undici. ```js const undici = require('undici') const response = undici.request("http://127.0.0.1:1000", { headers: {'a': "\r\nb"} }) ``` The same applies to `path` and `method` ### Patches Update to v5.8.0 ### Workarounds Sanitize all HTTP headers from untrusted sources to eliminate `\r\n`. ### References https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116 ### For more information If you have any questions or comments about this advisory: * Open an issue in [undici repository](https://github.com/nodejs/undici/issues) * To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document	CVE-2022-31150 GHSA-3cvr-822r-rqcc
VCID-x5np-z1be-m7gq	undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect ### Impact Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in v5.8.0. ### Workarounds By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). ### References https://hackerone.com/reports/1635514 https://curl.se/docs/CVE-2018-1000007.html https://curl.se/docs/CVE-2022-27776.html ### For more information If you have any questions or comments about this advisory: * Open an issue in [undici repository](https://github.com/nodejs/undici/issues) * To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document	CVE-2022-31151 GHSA-q768-x9m6-m9qp

Vulnerability

Summary

Aliases

VCID-wqk1-vxt3-j3bb

undici before v5.8.0 vulnerable to CRLF injection in request headers ### Impact It is possible to inject CRLF sequences into request headers in Undici. ```js const undici = require('undici') const response = undici.request("http://127.0.0.1:1000", { headers: {'a': "\r\nb"} }) ``` The same applies to `path` and `method` ### Patches Update to v5.8.0 ### Workarounds Sanitize all HTTP headers from untrusted sources to eliminate `\r\n`. ### References https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116 ### For more information If you have any questions or comments about this advisory: * Open an issue in [undici repository](https://github.com/nodejs/undici/issues) * To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document

CVE-2022-31150
GHSA-3cvr-822r-rqcc

VCID-x5np-z1be-m7gq

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect ### Impact Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in v5.8.0. ### Workarounds By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). ### References https://hackerone.com/reports/1635514 https://curl.se/docs/CVE-2018-1000007.html https://curl.se/docs/CVE-2022-27776.html ### For more information If you have any questions or comments about this advisory: * Open an issue in [undici repository](https://github.com/nodejs/undici/issues) * To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document

CVE-2022-31151
GHSA-q768-x9m6-m9qp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:00:27.869900+00:00	Debian Importer	Fixing	VCID-x5np-z1be-m7gq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:10:32.090497+00:00	Debian Importer	Fixing	VCID-wqk1-vxt3-j3bb	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T06:42:33.648453+00:00	Debian Importer	Fixing	VCID-x5np-z1be-m7gq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:08:31.262123+00:00	Debian Importer	Fixing	VCID-wqk1-vxt3-j3bb	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:47:17.537454+00:00	Debian Importer	Fixing	VCID-x5np-z1be-m7gq	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:17.493153+00:00	Debian Importer	Fixing	VCID-wqk1-vxt3-j3bb	https://security-tracker.debian.org/tracker/data/json	38.1.0