Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

undici — Vulnerabilities & Security Advisories 21

All 21 CVE vulnerabilities found in undici, with AI-generated Chinese analysis, references, and POCs.

Vendor: nodejs

CVE IDTitleCVSSSeverityPublished
CVE-2026-2229 undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation CWE-248 7.5 High2026-03-12
CVE-2026-1528 undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client CWE-248 7.5 High2026-03-12
CVE-2026-1527 undici is vulnerable to CRLF Injection via upgrade option CWE-93 4.6 Medium2026-03-12
CVE-2026-2581 undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS CWE-770 5.9 Medium2026-03-12
CVE-2026-1526 undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression CWE-409 7.5 High2026-03-12
CVE-2026-1525 undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444 6.5 Medium2026-03-12
CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion CWE-770 5.9 Medium2026-01-14
CVE-2025-47279 undici Denial of Service attack via bad certificate data CWE-401 3.1 Low2025-05-15
CVE-2025-22150 Undici Uses Insufficiently Random Values CWE-330 6.8 Medium2025-01-21
CVE-2024-38372 Undici vulnerable to data leak when using response.arrayBuffer() CWE-201 2.0 Low2024-07-08
CVE-2024-30260 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline CWE-285 3.9 Low2024-04-04
CVE-2024-30261 Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect CWE-284 2.6 Low2024-04-04
CVE-2024-24750 Backpressure request ignored in fetch() in Undici CWE-400 6.5 Medium2024-02-16
CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici CWE-200 3.9 Low2024-02-16
CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch CWE-200 3.9 Low2023-10-12
CVE-2023-23936 CRLF Injection in Nodejs ‘undici’ via host CWE-93 6.5 Medium2023-02-16
CVE-2023-24807 Undici vulnerable to Regular Expression Denial of Service in Headers CWE-20 7.5 High2023-02-16
CVE-2022-35948 CRLF Injection in Nodejs ‘undici’ via Content-Type CWE-93 5.3 Medium2022-08-13
CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname` CWE-918 5.3 Medium2022-08-12
CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici CWE-601 3.7 Low2022-07-20
CVE-2022-31150 CRLF injection in request headers CWE-93 5.3 Medium2022-07-19

All 21 known CVE vulnerabilities affecting undici with full Chinese analysis, references, and POCs where available.