Home/Product/nodejs undici
Product

nodejs undici

19 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-2581
>= 7.17.0 and < 7.24.0
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undi
5.9MEDIUM
 CVE-2026-2229
< 6.24.0
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window
7.5HIGH
 CVE-2026-1528
< 6.24.0
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser ov
7.5HIGH
 CVE-2026-1527
< 6.24.0
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF s
4.6MEDIUM
 CVE-2026-1526
< 6.24.0
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate
7.5HIGH
 CVE-2026-1525
< 6.24.0
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-L
6.5MEDIUM
 CVE-2026-22036
< 6.23.0
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded
5.9MEDIUM
 CVE-2024-30260
< 5.28.4
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `
3.9LOW
 CVE-2024-30261
< 5.28.4
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(),
2.6LOW
 CVE-2024-24758
< 5.28.3
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redir
3.9LOW
 CVE-2024-24750
>= 6.0.0 and < 6.6.1
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the in
6.5MEDIUM
 CVE-2023-45143
< 5.26.2
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization heade
3.9LOW
 CVE-2023-24807
< 5.19.1
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerab
7.5HIGH
 CVE-2023-23936
>= 2.0.0 and < 5.19.1
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not pro
6.5MEDIUM
 CVE-2022-35948
< 5.8.2
undici is an HTTP/1.1 client, written from scratch for Node.js.=< undici@5.8.0 users are vulnerable to _CRLF Injection_ on heade
5.3MEDIUM
 CVE-2022-35949
<= 5.8.1
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when a
5.3MEDIUM
 CVE-2022-31151
< 5.7.1
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official h
3.7LOW
 CVE-2022-31150
< 5.8.0
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in un
5.3MEDIUM
 CVE-2022-32210
>= 4.8.2 and < 5.5.1
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. T
6.5MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin