Known Vulnerabilities for Undici by Nodejs
Listed below are 10 of the newest known vulnerabilities associated with "Undici" by "Nodejs".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-12151 json | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does n... | Not Provided | 2026-06-17 | 2026-07-13 |
| CVE-2026-11525 json | Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-9697 json | Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks:... | Not Provided | 2026-06-17 | 2026-07-13 |
| CVE-2026-9679 json | Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like... | Not Provided | 2026-06-17 | 2026-06-23 |
| CVE-2026-9678 json | Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header ... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-9675 json | Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented ... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-6734 json | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that t... | Not Provided | 2026-06-17 | 2026-07-13 |
| CVE-2026-6733 json | Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controll... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-2229 json | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_w... | Not Provided | 2026-03-12 | 2026-07-02 |
| CVE-2026-1528 json | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's BytePars... | Not Provided | 2026-03-12 | 2026-07-02 |