pkg:npm/undici

22 total CVEsHIGH5MEDIUM10LOW7

✅ Check your installed version

All known vulnerabilities

  • HIGH7.7CVE-2022-32210ProxyAgent vulnerable to MITM
    >= 4.8.2, < 5.5.1
  • HIGH7.5CVE-2026-1526Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
    from 0, < 6.24.0
  • HIGH7.5CVE-2026-2229Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
    from 0, < 6.24.0
  • HIGH7.5CVE-2026-1528Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
    >= 6.0.0, < 6.24.0
  • HIGH7.5CVE-2023-24807Regular Expression Denial of Service in Headers
    from 0, < 5.19.1
  • MEDIUM6.8CVE-2025-22150Use of Insufficiently Random Values in undici
    >= 4.5.0, < 5.28.5
  • MEDIUM6.5CVE-2026-1525Undici has an HTTP Request/Response Smuggling issue
    from 0, < 6.24.0
  • MEDIUM6.5CVE-2024-24750fetch(url) leads to a memory leak in undici
    >= 6.0.0, < 6.6.1
  • MEDIUM5.9CVE-2026-2581Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
    >= 7.17.0, < 7.24.0
  • MEDIUM5.9CVE-2026-22036Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
    >= 7.0.0, < 7.18.2
  • MEDIUM5.3CVE-2022-35948Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
    from 0, < 5.8.2
  • MEDIUM5.3CVE-2022-35949`undici.request` vulnerable to SSRF using absolute URL on `pathname`
    from 0, < 5.8.2
  • MEDIUM5.3CVE-2022-31150undici before v5.8.0 vulnerable to CRLF injection in request headers
    from 0, < 5.8.0
  • MEDIUM4.6CVE-2026-1527Undici has CRLF Injection in undici via `upgrade` option
    from 0, < 6.24.0
  • MEDIUM4.6CVE-2023-23936CRLF Injection in Nodejs ‘undici’ via host
    >= 2.0.0, < 5.19.1
  • LOW3.9CVE-2024-30260Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
    from 0, < 5.28.4
  • LOW3.9CVE-2024-24758Undici proxy-authorization header not cleared on cross-origin redirect in fetch
    from 0, < 5.28.3
  • LOW3.9CVE-2023-45143Undici's cookie header not cleared on cross-origin redirect in fetch
    from 0, < 5.26.2
  • LOW3.7CVE-2022-31151undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
    from 0, < 5.8.0
  • LOW3.1CVE-2025-47279undici Denial of Service attack via bad certificate data
    from 0, < 5.29.0
  • LOW2.6CVE-2024-30261Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
    from 0, < 5.28.4
  • LOW2.0CVE-2024-38372Undici vulnerable to data leak when using response.arrayBuffer()
    >= 6.14.0, < 6.19.2