MEDIUM 6.5 npm
GHSA-2mjp-6q6p-2qxm · CVE-2026-1525 Undici has an HTTP Request/Response Smuggling issue
Modified: 3/18/2026
package
npm / undici
pkg:npm/undici
LOW 3.9 npm
GHSA-3787-6prv-h9w3 · CVE-2024-24758 Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Modified: 5/2/2024
HIGH 7.5 npm
GHSA-38rv-x7px-6hhq · CVE-2026-9675 undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Modified: 6/18/2026
MEDIUM 5.3 npm
GHSA-3cvr-822r-rqcc · CVE-2022-31150 undici before v5.8.0 vulnerable to CRLF injection in request headers
Modified: 11/8/2023
LOW 2.0 npm
GHSA-3g92-w8c5-73pq · CVE-2024-38372 Undici vulnerable to data leak when using response.arrayBuffer()
Modified: 7/9/2024
MEDIUM 4.6 npm
GHSA-4992-7rv2-5pvq · CVE-2026-1527 Undici has CRLF Injection in undici via `upgrade` option
Modified: 3/18/2026
MEDIUM 4.6 npm
GHSA-5r9g-qh6m-jxff · BIT-node-2023-23936, BIT-node-min-2023-23936 CRLF Injection in Nodejs ‘undici’ via host
Modified: 12/16/2024
MEDIUM 5.3 npm
GHSA-8qr4-xgw6-wmr3 · CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname`
Modified: 11/8/2023
MEDIUM 6.5 npm
GHSA-9f24-jqhm-jfcw · CVE-2024-24750 fetch(url) leads to a memory leak in undici
Modified: 4/19/2024
LOW 2.6 npm
GHSA-9qxr-qj54-h672 · CVE-2024-30261 Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Modified: 11/4/2025
MEDIUM 6.8 npm
GHSA-c76h-2ccp-4975 · CVE-2025-22150 Use of Insufficiently Random Values in undici
Modified: 2/4/2026
LOW 3.1 npm
GHSA-cxrh-j4jr-qwg3 · CVE-2025-47279 undici Denial of Service attack via bad certificate data
Modified: 2/6/2026
HIGH 7.5 npm
GHSA-f269-vfmq-vjvj · CVE-2026-1528 Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
Modified: 3/18/2026
MEDIUM 5.3 npm
GHSA-f772-66g8-q5h3 · CVE-2022-35948 Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
Modified: 11/8/2023
MEDIUM 5.9 npm
GHSA-g9mf-h72j-4rw9 · CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Modified: 2/4/2026
LOW 3.9 npm
GHSA-m4v8-wqvr-p9f7 · CVE-2024-30260 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Modified: 11/4/2025
HIGH 7.7 npm
GHSA-pgw7-wx7w-2w33 · CVE-2022-32210 ProxyAgent vulnerable to MITM
Modified: 3/13/2026
MEDIUM 5.9 npm
GHSA-phc3-fgpg-7m6h · CVE-2026-2581 Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
Modified: 3/18/2026
MEDIUM 5.9 npm
GHSA-pr7r-676h-xcf6 · CVE-2026-9678 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Modified: 6/18/2026
LOW 3.7 npm
GHSA-q768-x9m6-m9qp · CVE-2022-31151 undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
Modified: 2/4/2026
HIGH 7.5 npm
GHSA-r6ch-mqf9-qc9w · CVE-2023-24807 Regular Expression Denial of Service in Headers
Modified: 11/8/2023
HIGH 7.5 npm
GHSA-v9p9-hfj2-hcw8 · CVE-2026-2229 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
Modified: 3/18/2026
HIGH 7.4 npm
GHSA-vmh5-mc38-953g · CVE-2026-9697 undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Modified: 6/18/2026
HIGH 7.5 npm
GHSA-vrm6-8vpv-qv8q · CVE-2026-1526 Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
Modified: 3/18/2026
LOW 3.9 npm
GHSA-wqq4-5wpv-mx2g · CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch
Modified: 2/4/2026