npm vulnerability intelligence

undici NPM Package
Vulnerability Check

An HTTP/1.1 client, written from scratch for Node.js

High severity MIT v8.5.0

Vulnerability Analysis OSV Live

undici

v8.5.0 · MIT · 133,047,713 dl/wk

Advisory Breakdown

Critical 0

High 9

Moderate 12

Low 9

Severity Rating

High severity

30 advisories

High severity

Weekly downloads

133,047,713

Total advisories

30

Latest version

8.5.0

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

30

GHSA-2mjp-6q6p-2qxm CVE-2026-1525 moderate

Undici has an HTTP Request/Response Smuggling issue

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-35p6-xmwp-9g52 CVE-2026-6733 low

undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

Affected: >=0 <6.27.0, >=7.0.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 6.27.0, 7.28.0, 8.5.0 Updated Jun 21, 2026

GHSA-3787-6prv-h9w3 CVE-2024-24758 low

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Affected: >=0 <5.28.3, >=6.0.0 <6.6.1 Fixed in: 5.28.3, 6.6.1 Updated May 2, 2024

GHSA-38rv-x7px-6hhq CVE-2026-9675 high

undici WebSocket client vulnerable to denial of service via cumulative fragment bypass

Affected: >=8.0.0 <8.5.0 Fixed in: 8.5.0 Updated Jun 18, 2026

GHSA-3cvr-822r-rqcc CVE-2022-31150 moderate

undici before v5.8.0 vulnerable to CRLF injection in request headers

Affected: >=0 <5.8.0 Fixed in: 5.8.0 Updated Nov 8, 2023

GHSA-3g92-w8c5-73pq CVE-2024-38372 low

Undici vulnerable to data leak when using response.arrayBuffer()

Affected: >=6.14.0 <6.19.2 Fixed in: 6.19.2 Updated Jul 9, 2024

GHSA-4992-7rv2-5pvq CVE-2026-1527 moderate

Undici has CRLF Injection in undici via `upgrade` option

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-5r9g-qh6m-jxff BIT-node-2023-23936BIT-node-min-2023-23936 moderate

CRLF Injection in Nodejs ‘undici’ via host

Affected: >=2.0.0 <5.19.1 Fixed in: 5.19.1 Updated Dec 16, 2024

GHSA-8qr4-xgw6-wmr3 CVE-2022-35949 moderate

`undici.request` vulnerable to SSRF using absolute URL on `pathname`

Affected: >=0 <5.8.2 Fixed in: 5.8.2 Updated Nov 8, 2023

GHSA-9f24-jqhm-jfcw CVE-2024-24750 moderate

fetch(url) leads to a memory leak in undici

Affected: >=6.0.0 <6.6.1 Fixed in: 6.6.1 Updated Apr 19, 2024

GHSA-9qxr-qj54-h672 CVE-2024-30261 low

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Affected: >=0 <5.28.4, >=6.0.0 <6.11.1 Fixed in: 5.28.4, 6.11.1 Updated Nov 4, 2025

GHSA-c76h-2ccp-4975 CVE-2025-22150 moderate

Use of Insufficiently Random Values in undici

Affected: >=4.5.0 <5.28.5, >=6.0.0 <6.21.1, >=7.0.0 <7.2.3 Fixed in: 5.28.5, 6.21.1, 7.2.3 Updated Feb 4, 2026

GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 low

undici Denial of Service attack via bad certificate data

Affected: >=0 <5.29.0, >=6.0.0 <6.21.2, >=7.0.0 <7.5.0 Fixed in: 5.29.0, 6.21.2, 7.5.0 Updated Feb 6, 2026

GHSA-f269-vfmq-vjvj CVE-2026-1528 high

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Affected: >=6.0.0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-f772-66g8-q5h3 CVE-2022-35948 moderate

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Affected: >=0 <5.8.2 Fixed in: 5.8.2 Updated Nov 8, 2023

GHSA-g8m3-5g58-fq7m CVE-2026-11525 low

undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Affected: >=0 <6.27.0, >=7.0.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 6.27.0, 7.28.0, 8.5.0 Updated Jun 20, 2026

GHSA-g9mf-h72j-4rw9 CVE-2026-22036 moderate

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Affected: >=7.0.0 <7.18.2, >=0 <6.23.0 Fixed in: 7.18.2, 6.23.0 Updated Feb 4, 2026

GHSA-hm92-r4w5-c3mj CVE-2026-6734 high

undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

Affected: >=7.23.0 <7.28.0, >=8.0.0 <8.2.0 Fixed in: 7.28.0, 8.2.0 Updated Jun 20, 2026

GHSA-m4v8-wqvr-p9f7 CVE-2024-30260 low

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Affected: >=0 <5.28.4, >=6.0.0 <6.11.1 Fixed in: 5.28.4, 6.11.1 Updated Nov 4, 2025

GHSA-p88m-4jfj-68fv CVE-2026-9679 moderate

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Affected: >=0 <6.27.0, >=7.0.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 6.27.0, 7.28.0, 8.5.0 Updated Jun 20, 2026

GHSA-pgw7-wx7w-2w33 CVE-2022-32210 high

ProxyAgent vulnerable to MITM

Affected: >=4.8.2 <5.5.1 Fixed in: 5.5.1 Updated Mar 13, 2026

GHSA-phc3-fgpg-7m6h CVE-2026-2581 moderate

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Affected: >=7.17.0 <7.24.0 Fixed in: 7.24.0 Updated Mar 18, 2026

GHSA-pr7r-676h-xcf6 CVE-2026-9678 moderate

undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

Affected: >=7.0.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 7.28.0, 8.5.0 Updated Jun 19, 2026

GHSA-q768-x9m6-m9qp CVE-2022-31151 low

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect

Affected: >=0 <5.8.0 Fixed in: 5.8.0 Updated Feb 4, 2026

GHSA-r6ch-mqf9-qc9w CVE-2023-24807 high

Regular Expression Denial of Service in Headers

Affected: >=0 <5.19.1 Fixed in: 5.19.1 Updated Nov 8, 2023

GHSA-v9p9-hfj2-hcw8 CVE-2026-2229 high

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-vmh5-mc38-953g CVE-2026-9697 high

undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

Affected: >=7.23.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 7.28.0, 8.5.0 Updated Jun 19, 2026

GHSA-vrm6-8vpv-qv8q CVE-2026-1526 high

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

Affected: >=0 <6.24.0, >=7.0.0 <7.24.0 Fixed in: 6.24.0, 7.24.0 Updated Mar 18, 2026

GHSA-vxpw-j846-p89q CVE-2026-12151 high

undici WebSocket client vulnerable to denial of service via fragment count bypass

Affected: >=0 <6.27.0, >=7.0.0 <7.28.0, >=8.0.0 <8.5.0 Fixed in: 6.27.0, 7.28.0, 8.5.0 Updated Jun 20, 2026

GHSA-wqq4-5wpv-mx2g CVE-2023-45143 low

Undici's cookie header not cleared on cross-origin redirect in fetch

Affected: >=0 <5.26.2 Fixed in: 5.26.2 Updated Feb 4, 2026

Checked Jun 28, 2026, 7:16 AM from npm and OSV.dev

Package metadata

From the npm registry

Package name: undici
Ecosystem: npm
Latest version: 8.5.0
License: MIT
Weekly downloads: 133,047,713
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

Login attempts

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/28/2026, 7:16:59 AM