Search for packages
| purl | pkg:npm/undici@5.24.0-test.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-35xt-q7bu-g7gz
Aliases: CVE-2024-24758 GHSA-3787-6prv-h9w3 |
Undici proxy-authorization header not cleared on cross-origin redirect in fetch ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-68fk-zn5c-33fj
Aliases: CVE-2024-30260 GHSA-m4v8-wqvr-p9f7 |
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline ### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-6cmr-x22p-ebe3
Aliases: CVE-2025-47279 GHSA-cxrh-j4jr-qwg3 |
undici: Undici Memory Leak with Invalid Certificates |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kzbd-kkqe-kkef
Aliases: CVE-2025-22150 GHSA-c76h-2ccp-4975 |
undici: Undici Uses Insufficiently Random Values |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-s4cy-z5k3-6qe5
Aliases: CVE-2023-45143 GHSA-wqq4-5wpv-mx2g |
Undici's cookie header not cleared on cross-origin redirect in fetch ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. |
Affected by 5 other vulnerabilities. |
|
VCID-wyw8-uapk-4ufp
Aliases: CVE-2024-30261 GHSA-9qxr-qj54-h672 |
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect ### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||