SB2026061760 - Multiple vulnerabilities in undici
Published: June 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-6733)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause responses to be delivered to the wrong requests.
The vulnerability exists due to a time-of-check time-of-use race condition in the HTTP/1.1 client when reusing keep-alive sockets. A remote attacker can inject an unsolicited HTTP/1.1 response onto an idle socket to cause responses to be delivered to the wrong requests.
Exploitation requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
2) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-11525)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to weaken SameSite cookie policy enforcement.
The vulnerability exists due to permissive list of allowed inputs in the Set-Cookie header parser when parsing Set-Cookie headers from server responses. A remote attacker can send a specially crafted Set-Cookie header to weaken SameSite cookie policy enforcement.
The issue affects applications that forward or rely on the parsed sameSite attribute from server responses.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-12151)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the WebSocket client message fragmentation handling when processing fragmented WebSocket messages from a server. A remote attacker can send many small or empty continuation frames to cause a denial of service.
Exploitation requires the application to connect to an attacker-controlled or compromised WebSocket endpoint using the WebSocket client or the WebSocketStream API.
4) Improper Certificate Validation (CVE-ID: CVE-2026-9697)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to intercept and modify HTTPS traffic.
The vulnerability exists due to improper certificate validation in ProxyAgent and Socks5ProxyAgent when establishing HTTPS connections through a SOCKS5 proxy. A remote attacker can present a certificate signed by a publicly trusted CA for the target hostname to intercept and modify HTTPS traffic.
Only applications that rely on requestTls settings for TLS scope restriction when using a SOCKS5 proxy are affected.
5) Use of cache containing sensitive information (CVE-ID: CVE-2026-9678)
CWE-ID: CWE-524 - Use of Cache Containing Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of cache containing sensitive information in the cache interceptor when processing responses with whitespace-padded qualified private or no-cache directives in the Cache-Control header. A remote attacker can send requests that resolve to the same cache key to disclose sensitive information.
Only applications that explicitly enable interceptors.cache() in shared-cache mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified directives are vulnerable.
6) CRLF injection (CVE-ID: CVE-2026-9679)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP response headers.
The vulnerability exists due to improper neutralization of CRLF sequences in the parseSetCookie cookie parser when processing a crafted Set-Cookie header containing percent-encoded delimiter bytes. A remote attacker can supply a specially crafted upstream Set-Cookie header to inject arbitrary HTTP response headers.
Exploitation requires an application to parse a Set-Cookie header using parseSetCookie, parseCookie, or getSetCookies and then forward the parsed value into a downstream response header.
7) Resource exhaustion (CVE-ID: CVE-2026-9675)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the WebSocket client when processing fragmented uncompressed messages. A remote attacker can stream many small WebSocket fragments to cause a denial of service.
Exploitation requires an application using the WebSocket client to connect to an attacker-controlled or compromised WebSocket endpoint.
Remediation
Install update from vendor's website.
References
- https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52
- https://hackerone.com/reports/3582376
- https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m
- https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q
- https://datatracker.ietf.org/doc/html/rfc6455#section-5.4
- https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g
- https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6
- https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv
- https://github.com/nodejs/undici/pull/3789
- https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq