Update dependency undici to v6.24.0 [SECURITY] by renovate[bot] · Pull Request #234 · LivePersonInc/faas-cli

renovate · 2025-08-07T11:42:54Z

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	`6.19.2` → `6.24.0`

Use of Insufficiently Random Values in undici

CVE-2025-22150 / GHSA-c76h-2ccp-4975

More information

Details

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

Severity

CVSS Score: 6.8 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

undici Denial of Service attack via bad certificate data

CVE-2025-47279 / GHSA-cxrh-j4jr-qwg3

More information

Details

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

Severity

CVSS Score: 3.1 / 10 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

CVE-2026-22036 / GHSA-g9mf-h72j-4rw9

More information

Details

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

Severity

CVSS Score: 5.9 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

CVE-2026-1528 / GHSA-f269-vfmq-vjvj

More information

Details

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
Applications that accept user-controlled header names without case-normalization

Potential consequences:

Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8

More information

Details

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
The createInflateRaw() call is not wrapped in a try-catch block
The resulting exception propagates up through the call stack and crashes the Node.js process

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

More information

Details

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact

Remote denial of service against any Node.js application using undici's WebSocket client
A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
No application-level mitigation is possible as decompression occurs before message delivery

Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Undici has CRLF Injection in undici via `upgrade` option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

Inject arbitrary HTTP headers
Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

CVSS Score: 4.6 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

nodejs/undici (undici)

Conversation

renovate Bot commented Aug 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Use of Insufficiently Random Values in undici

Details

Impact

Patches

Workarounds

References

Severity

References

undici Denial of Service attack via bad certificate data

Details

Impact

Patches

Workarounds

References

Severity

References

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Details

Impact

Patches

Workarounds

References

Severity

References

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Details

Impact

Patches

Workarounds

Severity

References

Undici has an HTTP Request/Response Smuggling issue

Details

Impact

Patches

Workarounds

Severity

References

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

Details

Impact

Patches

Workarounds

Severity

References

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

Details

Description

Impact

Patches

Workarounds

Severity

References

Undici has CRLF Injection in undici via upgrade option

Details

Impact

Patches

Workarounds

Severity

References

Release Notes

Undici v6.24.0 Security Release Notes (LTS)

Upgrade guidance

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

What's Changed

What's Changed

What's Changed

New Contributors

⚠️ Security Release ⚠️

What's Changed

What's Changed

What's Changed

What's Changed

Configuration

renovate Bot commented Aug 7, 2025 •

edited

Loading

Undici has CRLF Injection in undici via `upgrade` option