| Bug | bookworm | trixie | forky | sid | Description |
|---|
| CVE-2026-22036 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, ... |
| CVE-2026-12151 | vulnerable | vulnerable | vulnerable | fixed | Impact: The undici WebSocket client enforces maxPayloadSize on the cum ... |
| CVE-2026-11525 | vulnerable | vulnerable | vulnerable | fixed | Impact: When undici parses a Set-Cookie header, it accepts any SameSit ... |
| CVE-2026-9697 | vulnerable | vulnerable | vulnerable | fixed | Impact: undici's ProxyAgent silently drops the requestTls option when ... |
| CVE-2026-9679 | vulnerable | vulnerable | vulnerable | fixed | Impact: undici's cookie parser in parseSetCookie percent-decodes cooki ... |
| CVE-2026-9678 | vulnerable | vulnerable | vulnerable | fixed | Impact: Undici's cache interceptor incorrectly classifies some respons ... |
| CVE-2026-6734 | vulnerable | vulnerable | vulnerable | fixed | Impact: When using Socks5ProxyAgent, undici reuses a single connection ... |
| CVE-2026-6733 | vulnerable | vulnerable | vulnerable | fixed | Impact: Undici's HTTP/1.1 client is vulnerable to response queue poiso ... |
| CVE-2026-2581 | fixed | vulnerable (no DSA) | fixed | fixed | This is an uncontrolled resource consumption vulnerability (CWE-400) t ... |
| CVE-2026-2229 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | ImpactThe undici WebSocket client is vulnerable to a denial-of-service ... |
| CVE-2026-1528 | fixed | vulnerable (no DSA) | fixed | fixed | ImpactA server can reply with a WebSocket frame using the 64-bit lengt ... |
| CVE-2026-1527 | fixed | vulnerable (no DSA) | fixed | fixed | ImpactWhen an application passes user-controlled input to theupgradeop ... |
| CVE-2026-1526 | fixed | vulnerable (no DSA) | fixed | fixed | The undici WebSocket client is vulnerable to a denial-of-service attac ... |
| CVE-2026-1525 | fixed | vulnerable (no DSA) | fixed | fixed | Undici allows duplicate HTTPContent-Lengthheaders when they are provid ... |
| CVE-2025-47279 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6. ... |
| CVE-2025-23167 | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP ... |
| CVE-2025-22150 | vulnerable (no DSA) | fixed | fixed | fixed | Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to v ... |
| CVE-2024-30261 | vulnerable (no DSA) | fixed | fixed | fixed | Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ... |
| CVE-2024-30260 | vulnerable (no DSA) | fixed | fixed | fixed | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ... |
| CVE-2024-24758 | vulnerable (no DSA) | fixed | fixed | fixed | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ... |
| Bug | Description |
|---|
| CVE-2026-9675 | Impact: The undici WebSocket client enforces maxPayloadSize per-frame ... |
| CVE-2024-38372 | Undici is an HTTP/1.1 client, written from scratch for Node.js. Depend ... |
| CVE-2024-24750 | Undici is an HTTP/1.1 client, written from scratch for Node.js. In aff ... |
| CVE-2023-45143 | Undici is an HTTP/1.1 client written from scratch for Node.js. Prior t ... |
| CVE-2023-24807 | Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the ... |
| CVE-2023-23936 | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 ... |
| CVE-2022-35949 | undici is an HTTP/1.1 client, written from scratch for Node.js.`undici ... |
| CVE-2022-35948 | undici is an HTTP/1.1 client, written from scratch for Node.js.`=< und ... |
| CVE-2022-32210 | `Undici.ProxyAgent` never verifies the remote server's certificate, an ... |
| CVE-2022-31151 | Authorization headers are cleared on cross-origin redirect. However, c ... |
| CVE-2022-31150 | undici is an HTTP/1.1 client, written from scratch for Node.js. It is ... |