Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/node-undici@5.8.2%2Bdfsg1%2B~cs18.9.18.1-1?distro=trixie
purl pkg:deb/debian/node-undici@5.8.2%2Bdfsg1%2B~cs18.9.18.1-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-g4wu-n75v-p7ad `undici.request` vulnerable to SSRF using absolute URL on `pathname` ### Impact `undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. ### Patches This issue was fixed in `undici@5.8.1`. ### Workarounds The best workaround is to validate user input before passing it to the `undici.request` call. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document CVE-2022-35949
GHSA-8qr4-xgw6-wmr3
VCID-rskk-s95c-rfgz Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type ### Impact `=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` ### Patches This issue was patched in Undici v5.8.1 ### Workarounds Sanitize input when sending content-type headers using user input. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document CVE-2022-35948
GHSA-f772-66g8-q5h3

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T09:14:41.741861+00:00 Debian Importer Fixing VCID-rskk-s95c-rfgz https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:49:18.812725+00:00 Debian Importer Fixing VCID-g4wu-n75v-p7ad https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-11T18:10:55.706808+00:00 Debian Importer Fixing VCID-rskk-s95c-rfgz https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-11T17:55:37.150085+00:00 Debian Importer Fixing VCID-g4wu-n75v-p7ad https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:47:17.665714+00:00 Debian Importer Fixing VCID-g4wu-n75v-p7ad https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:47:17.624928+00:00 Debian Importer Fixing VCID-rskk-s95c-rfgz https://security-tracker.debian.org/tracker/data/json 38.1.0