npm vulnerability intelligence

undici NPM Package
Vulnerability Check

An HTTP/1.1 client, written from scratch for Node.js

High severity MIT v8.4.1

Vulnerability Analysis OSV Live

undici

v8.4.1 · MIT · 127,518,613 dl/wk

Advisory Breakdown

Critical 0

High 5

Moderate 10

Low 7

Severity Rating

High severity

22 advisories

High severity

Weekly downloads

127,518,613

Total advisories

22

Latest version

8.4.1

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

22

GHSA-2mjp-6q6p-2qxm CVE-2026-1525 moderate

Undici has an HTTP Request/Response Smuggling issue

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-3787-6prv-h9w3 CVE-2024-24758 low

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Affected: >=0 <5.28.3, >=6.0.0 <6.6.1 Fixed in: 5.28.3, 6.6.1 Updated May 2, 2024

GHSA-3cvr-822r-rqcc CVE-2022-31150 moderate

undici before v5.8.0 vulnerable to CRLF injection in request headers

Affected: >=0 <5.8.0 Fixed in: 5.8.0 Updated Nov 8, 2023

GHSA-3g92-w8c5-73pq CVE-2024-38372 low

Undici vulnerable to data leak when using response.arrayBuffer()

Affected: >=6.14.0 <6.19.2 Fixed in: 6.19.2 Updated Jul 9, 2024

GHSA-4992-7rv2-5pvq CVE-2026-1527 moderate

Undici has CRLF Injection in undici via `upgrade` option

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-5r9g-qh6m-jxff BIT-node-2023-23936BIT-node-min-2023-23936 moderate

CRLF Injection in Nodejs ‘undici’ via host

Affected: >=2.0.0 <5.19.1 Fixed in: 5.19.1 Updated Dec 16, 2024

GHSA-8qr4-xgw6-wmr3 CVE-2022-35949 moderate

`undici.request` vulnerable to SSRF using absolute URL on `pathname`

Affected: >=0 <5.8.2 Fixed in: 5.8.2 Updated Nov 8, 2023

GHSA-9f24-jqhm-jfcw CVE-2024-24750 moderate

fetch(url) leads to a memory leak in undici

Affected: >=6.0.0 <6.6.1 Fixed in: 6.6.1 Updated Apr 19, 2024

GHSA-9qxr-qj54-h672 CVE-2024-30261 low

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Affected: >=0 <5.28.4, >=6.0.0 <6.11.1 Fixed in: 5.28.4, 6.11.1 Updated Nov 4, 2025

GHSA-c76h-2ccp-4975 CVE-2025-22150 moderate

Use of Insufficiently Random Values in undici

Affected: >=4.5.0 <5.28.5, >=6.0.0 <6.21.1, >=7.0.0 <7.2.3 Fixed in: 5.28.5, 6.21.1, 7.2.3 Updated Feb 4, 2026

GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 low

undici Denial of Service attack via bad certificate data

Affected: >=0 <5.29.0, >=6.0.0 <6.21.2, >=7.0.0 <7.5.0 Fixed in: 5.29.0, 6.21.2, 7.5.0 Updated Feb 6, 2026

GHSA-f269-vfmq-vjvj CVE-2026-1528 high

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Affected: >=6.0.0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-f772-66g8-q5h3 CVE-2022-35948 moderate

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Affected: >=0 <5.8.2 Fixed in: 5.8.2 Updated Nov 8, 2023

GHSA-g9mf-h72j-4rw9 CVE-2026-22036 moderate

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Affected: >=7.0.0 <7.18.2, >=0 <6.23.0 Fixed in: 7.18.2, 6.23.0 Updated Feb 4, 2026

GHSA-m4v8-wqvr-p9f7 CVE-2024-30260 low

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Affected: >=0 <5.28.4, >=6.0.0 <6.11.1 Fixed in: 5.28.4, 6.11.1 Updated Nov 4, 2025

GHSA-pgw7-wx7w-2w33 CVE-2022-32210 high

ProxyAgent vulnerable to MITM

Affected: >=4.8.2 <5.5.1 Fixed in: 5.5.1 Updated Mar 13, 2026

GHSA-phc3-fgpg-7m6h CVE-2026-2581 moderate

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Affected: >=7.17.0 <7.24.0 Fixed in: 7.24.0 Updated Mar 18, 2026

GHSA-q768-x9m6-m9qp CVE-2022-31151 low

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect

Affected: >=0 <5.8.0 Fixed in: 5.8.0 Updated Feb 4, 2026

GHSA-r6ch-mqf9-qc9w CVE-2023-24807 high

Regular Expression Denial of Service in Headers

Affected: >=0 <5.19.1 Fixed in: 5.19.1 Updated Nov 8, 2023

GHSA-v9p9-hfj2-hcw8 CVE-2026-2229 high

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-vrm6-8vpv-qv8q CVE-2026-1526 high

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-wqq4-5wpv-mx2g CVE-2023-45143 low

Undici's cookie header not cleared on cross-origin redirect in fetch

Affected: >=0 <5.26.2 Fixed in: 5.26.2 Updated Feb 4, 2026

Checked Jun 14, 2026, 10:43 PM from npm and OSV.dev

Package metadata

From the npm registry

Package name: undici
Ecosystem: npm
Latest version: 8.4.1
License: MIT
Weekly downloads: 127,518,613
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

Login attempts

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/14/2026, 10:43:58 PM