Undici
This hub aggregates every CVE we track for Undici, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
31
CVEs tracked
0
Critical
8
High
0
In CISA KEV
Severity distribution
MEDIUM14LOW9HIGH8
Monthly trend
1
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
0
0
1
0
6
0
0
8
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Undici.
- CVE-2026-11525undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching3.7
- CVE-2026-6733undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse3.7
- CVE-2026-9678undici vulnerable to cross-user information disclosure via shared cache whitespace bypass5.9
- CVE-2026-9679undici vulnerable to HTTP header injection via Set-Cookie percent-decoding5.9
- CVE-2026-9697undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent7.4
- CVE-2026-6734undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse7.5
- CVE-2026-9675undici WebSocket client vulnerable to denial of service via cumulative fragment bypass7.5
- CVE-2026-12151undici WebSocket client vulnerable to denial of service via fragment count bypass7.5
- CVE-2026-2229undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation7.5
- CVE-2026-1528undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client7.5
- CVE-2026-1527undici is vulnerable to CRLF Injection via upgrade option4.6
- CVE-2026-2581undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS5.9
- CVE-2026-1526undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression7.5
- CVE-2026-1525undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')6.5
- CVE-2026-22036Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion5.9
Product normalization is registry-driven with AI assist and human review. How it works