{"url":"http://public2.vulnerablecode.io/api/packages/995017?format=json","purl":"pkg:deb/debian/node-undici@7.18.2%2Bdfsg%2B~cs3.2.0-1","type":"deb","namespace":"debian","name":"node-undici","version":"7.18.2+dfsg+~cs3.2.0-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.24.6+dfsg+~cs3.2.0-2","latest_non_vulnerable_version":"7.24.6+dfsg+~cs3.2.0-2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30254?format=json","vulnerability_id":"VCID-1294-r4v2-3ud7","summary":"undici Denial of Service attack via bad certificate data\n### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47279.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47279","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14581","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14498","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14455","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14462","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14369","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14218","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14355","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.1441","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14436","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14407","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14593","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14452","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.1454","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14571","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14338","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14339","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14445","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14502","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14641","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14541","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47279"},{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/"}],"url":"https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25"},{"reference_url":"https://github.com/nodejs/undici/issues/3895","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/"}],"url":"https://github.com/nodejs/undici/issues/3895"},{"reference_url":"https://github.com/nodejs/undici/pull/4088","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/"}],"url":"https://github.com/nodejs/undici/pull/4088"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T17:51:54Z/"}],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47279","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47279"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860","reference_id":"1105860","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105860"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366632","reference_id":"2366632","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366632"},{"reference_url":"https://github.com/advisories/GHSA-cxrh-j4jr-qwg3","reference_id":"GHSA-cxrh-j4jr-qwg3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxrh-j4jr-qwg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995018?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/1026179?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2"}],"aliases":["CVE-2025-47279","GHSA-cxrh-j4jr-qwg3"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1294-r4v2-3ud7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24973?format=json","vulnerability_id":"VCID-hgd1-7u6j-p7dh","summary":"Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation\n### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2229.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2229","reference_id":"","reference_type":"","scores":[{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40478","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40468","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40462","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40499","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40494","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40417","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40467","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42145","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42071","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42215","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42299","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42302","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42366","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42413","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42175","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42104","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42076","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42161","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42437","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42462","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2229"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc7692","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc7692"},{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/"}],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"},{"reference_url":"https://hackerone.com/reports/3487486","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/"}],"url":"https://hackerone.com/reports/3487486"},{"reference_url":"https://nodejs.org/api/zlib.html#class-zlibinflateraw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T13:06:30Z/"}],"url":"https://nodejs.org/api/zlib.html#class-zlibinflateraw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2229","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2229"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884","reference_id":"1130884","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130884"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447143","reference_id":"2447143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447143"},{"reference_url":"https://github.com/advisories/GHSA-v9p9-hfj2-hcw8","reference_id":"GHSA-v9p9-hfj2-hcw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v9p9-hfj2-hcw8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7080","reference_id":"RHSA-2026:7080","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7080"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7123","reference_id":"RHSA-2026:7123","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7123"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7302","reference_id":"RHSA-2026:7302","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7302"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7310","reference_id":"RHSA-2026:7310","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7310"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7350","reference_id":"RHSA-2026:7350","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7350"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7670","reference_id":"RHSA-2026:7670","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7670"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7675","reference_id":"RHSA-2026:7675","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7675"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7983","reference_id":"RHSA-2026:7983","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7983"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995018?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/1026179?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2"}],"aliases":["CVE-2026-2229","GHSA-v9p9-hfj2-hcw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hgd1-7u6j-p7dh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23250?format=json","vulnerability_id":"VCID-sy2z-sqgk-d7hg","summary":"Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression\n## Description\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\n\n## Impact\n\n- Remote denial of service against any Node.js application using undici's WebSocket client\n- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more\n- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits\n- No application-level mitigation is possible as decompression occurs before message delivery\n\n### Patches\n\nUsers should upgrade to fixed versions.\n\n### Workarounds\n\nNo workaround are possible.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1526.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1526","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04824","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04834","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04784","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04857","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0488","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04862","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04808","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05589","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05582","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05545","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05508","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05345","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05343","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05643","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05583","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05394","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0575","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05745","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05741","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0573","published_at":"2026-05-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1526"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc7692","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc7692"},{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/"}],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"},{"reference_url":"https://hackerone.com/reports/3481206","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-13T18:04:06Z/"}],"url":"https://hackerone.com/reports/3481206"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1526","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1526"},{"reference_url":"https://owasp.org/www-community/attacks/Denial_of_Service","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://owasp.org/www-community/attacks/Denial_of_Service"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880","reference_id":"1130880","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130880"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447142","reference_id":"2447142","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447142"},{"reference_url":"https://github.com/advisories/GHSA-vrm6-8vpv-qv8q","reference_id":"GHSA-vrm6-8vpv-qv8q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrm6-8vpv-qv8q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7080","reference_id":"RHSA-2026:7080","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7080"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7123","reference_id":"RHSA-2026:7123","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7123"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7302","reference_id":"RHSA-2026:7302","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7302"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7310","reference_id":"RHSA-2026:7310","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7310"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7350","reference_id":"RHSA-2026:7350","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7350"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7670","reference_id":"RHSA-2026:7670","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7670"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7675","reference_id":"RHSA-2026:7675","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7675"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7983","reference_id":"RHSA-2026:7983","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7983"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995018?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/1026179?format=json","purl":"pkg:deb/debian/node-undici@7.24.6%2Bdfsg%2B~cs3.2.0-2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.24.6%252Bdfsg%252B~cs3.2.0-2"}],"aliases":["CVE-2026-1526","GHSA-vrm6-8vpv-qv8q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sy2z-sqgk-d7hg"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-undici@7.18.2%252Bdfsg%252B~cs3.2.0-1"}