pkg:Debian/node-undici

21 total CVEsHIGH5MEDIUM10LOW6

✅ Check your installed version

All known vulnerabilities

  • HIGH7.7CVE-2022-32210ProxyAgent vulnerable to MITM
    from 0, < 5.6.1+dfsg1+~cs18.9.16-1
  • HIGH7.5CVE-2026-1526Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
    from 0
  • HIGH7.5CVE-2026-2229Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
    from 0
  • HIGH7.5CVE-2026-1528Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
    from 0
  • HIGH7.5CVE-2023-24807Regular Expression Denial of Service in Headers
    from 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
  • MEDIUM6.8CVE-2025-22150Use of Insufficiently Random Values in undici
    from 0
  • MEDIUM6.5CVE-2026-1525Undici has an HTTP Request/Response Smuggling issue
    from 0
  • MEDIUM6.5CVE-2025-23167A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
    from 0
  • MEDIUM5.9CVE-2026-2581Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
    from 0
  • MEDIUM5.9CVE-2026-22036Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
    from 0
  • MEDIUM5.3CVE-2022-35948Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
    from 0, < 5.8.2+dfsg1+~cs18.9.18.1-1
  • MEDIUM5.3CVE-2022-35949`undici.request` vulnerable to SSRF using absolute URL on `pathname`
    from 0, < 5.8.2+dfsg1+~cs18.9.18.1-1
  • MEDIUM5.3CVE-2022-31150undici before v5.8.0 vulnerable to CRLF injection in request headers
    from 0, < 5.8.0+dfsg1+~cs18.9.16-1
  • MEDIUM4.6CVE-2026-1527Undici has CRLF Injection in undici via `upgrade` option
    from 0
  • MEDIUM4.6CVE-2023-23936CRLF Injection in Nodejs ‘undici’ via host
    from 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
  • LOW3.9CVE-2024-30260Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
    from 0
  • LOW3.9CVE-2024-24758Undici proxy-authorization header not cleared on cross-origin redirect in fetch
    from 0
  • LOW3.9CVE-2023-45143Undici's cookie header not cleared on cross-origin redirect in fetch
    from 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
  • LOW3.7CVE-2022-31151undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
    from 0, < 5.8.0+dfsg1+~cs18.9.16-1
  • LOW3.1CVE-2025-47279undici Denial of Service attack via bad certificate data
    from 0
  • LOW2.6CVE-2024-30261Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
    from 0