Every CVE whose affected-product data names Nodejs Undici, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (27)
CVE-2026-12151 — CVSS 7.5 (high): Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a…
CVE-2026-9675 — CVSS 7.5 (high): Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed…
CVE-2026-6734 — CVSS 7.5 (high): Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's…
CVE-2026-2229 — CVSS 7.5 (high): ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits…
CVE-2026-1528 — CVSS 7.5 (high): ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows…
CVE-2026-1526 — CVSS 7.5 (high): The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate…
CVE-2023-24807 — CVSS 7.5 (high): Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to…
CVE-2026-9697 — CVSS 7.4 (high): Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The…
CVE-2023-23936 — CVSS 6.5 (medium): Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect…
CVE-2024-24750 — CVSS 6.5 (medium): Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming…
CVE-2022-32210 — CVSS 6.5 (medium): `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This…
CVE-2026-1525 — CVSS 6.5 (medium): Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and…
CVE-2026-22036 — CVSS 5.9 (medium): Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the…
CVE-2026-2581 — CVSS 5.9 (medium): This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici…
CVE-2026-9679 — CVSS 5.9 (medium): Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00…
CVE-2026-9678 — CVSS 5.9 (medium): Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses…
CVE-2022-31150 — CVSS 5.3 (medium): undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in…
CVE-2022-35949 — CVSS 5.3 (medium): undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an…
CVE-2026-1527 — CVSS 4.6 (medium): ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences…
CVE-2023-45143 — CVSS 3.9 (low): Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on…
CVE-2024-24758 — CVSS 3.9 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but…
CVE-2024-30260 — CVSS 3.9 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`…
CVE-2022-31151 — CVSS 3.7 (low): Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers…
CVE-2026-6733 — CVSS 3.7 (low): Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream…
CVE-2026-11525 — CVSS 3.7 (low): Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring…
CVE-2024-30261 — CVSS 2.6 (low): Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing…