Version 6.20.1

undici

An HTTP/1.1 client, written from scratch for Node.js

Install Instructions

npm install undici
Current Version Release Date October 14, 2024
Package URL (purl) pkg:npm/undici@6.20.1

Find undici vulnerabilities in your supply chain.

Scan for Free

undici Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2022-31150 Medium 6.5 CWE-93 0.0017 0.54808
  • 5.0.0–5.7.0
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2022-31151 Medium 6.5 CWE-601 0.00128 0.48701
  • 5.0.0–5.7.0
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2022-32210 Medium 6.5 CWE-295 0.00119 0.47222
  • 5.0.0–5.5.0
  • 4.8.2–4.16.0
CVE-2022-35948 Medium 5.3 CWE-93, CWE-74 0.00102 0.4281
  • 5.0.0–5.8.1
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2022-35949 High 9.8 CWE-918 0.00292 0.69684
  • 5.0.0–5.8.1
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2023-23936 Medium 5.4 CWE-93, CWE-74 0.00155 0.52668
  • 5.0.0–5.19.0
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
CVE-2023-24807 High 7.5 CWE-1333, CWE-20 0.00198 0.58215
  • 5.0.0–5.19.0
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2023-45143 Low 3.5 CWE-200 0.02723 0.90803
  • 5.0.0–5.26.1
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2024-24758 Low 3.9 CWE-200 0.00045 0.16759
  • 6.0.0–6.6.0
  • 5.0.0–5.28.2
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2024-30260 Low 3.9 CWE-285 0.00044 0.11331
  • 6.0.0–6.11.0
  • 5.0.0–5.28.3
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2024-30261 Low 2.6 CWE-284 0.00044 0.11331
  • 6.0.0–6.11.0
  • 5.0.0–5.28.3
  • 4.0.0–4.16.0
  • 3.0.0–3.3.6
  • 2.0.0–2.2.1
  • 1.0.0–1.3.1
  • 0.1.0–0.5.0
CVE-2024-24750 Medium 6.5 CWE-400 0.00045 0.16759
  • 6.0.0–6.6.0
CVE-2024-38372 Low 2 CWE-201 0.00045 0.16759
  • 6.14.0–6.19.1

undici Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-38372 Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. 6.14.1, 6.16.1, 6.19.1, 6.19.0, 6.18.1, 6.18.2, 6.18.0, 6.17.0 (Show all) Minor → 6.19.2
CVE-2024-30261 Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2024-30260 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2024-24758 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2024-24750 Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body. 6.3.0, 6.0.0, 6.0.1, 6.6.0, 6.5.0, 6.4.0, 6.2.1, 6.2.0 (Show all) Minor → 6.11.1
CVE-2023-45143 Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2023-24807 Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. 4.10.2, 5.15.0, 5.7.0, 5.10.0, 4.13.0, 4.12.2, 5.15.1, 5.14.0 (Show all) Major → 5.28.4
CVE-2022-35949 undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call. 4.10.2, 5.7.0, 4.13.0, 4.12.2, 5.0.0, 5.8.1, 5.6.1, 5.5.1 (Show all) Major → 5.28.4
CVE-2022-35948 undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. 4.10.2, 5.7.0, 4.13.0, 4.12.2, 5.0.0, 5.8.1, 5.6.1, 5.5.1 (Show all) Major → 5.28.4
CVE-2022-32210 `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. 4.10.2, 4.13.0, 4.12.2, 5.0.0, 5.5.0, 5.3.0, 5.4.0, 5.2.0 (Show all) Major → 5.28.4
CVE-2022-31151 Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). 4.10.2, 5.7.0, 4.13.0, 4.12.2, 5.0.0, 5.6.1, 5.5.1, 5.6.0 (Show all) Major → 5.28.4
CVE-2022-31150 undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. 4.10.2, 5.7.0, 4.13.0, 4.12.2, 5.0.0, 5.6.1, 5.5.1, 5.6.0 (Show all) Major → 5.28.4

Instantly see if these undici vulnerabilities affect your code.

Scan for Free