plugin-cloudflare-0.31.0.tgz: 7 vulnerabilities (highest severity is: 9.9) #205
Description
Vulnerable Library - plugin-cloudflare-0.31.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (plugin-cloudflare version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-0933 |  Critical |
9.9 | wrangler-4.33.0.tgz | Transitive | 0.32.0 | ❌ |
| CVE-2026-2229 |  High |
7.5 | undici-7.16.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-1528 | High |
7.5 | undici-7.16.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-1526 | High |
7.5 | undici-7.16.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-1525 |  Medium |
6.5 | undici-7.16.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-22036 | Medium |
5.9 | undici-7.16.0.tgz | Transitive | 0.32.0 | ❌ |
| CVE-2026-1527 | Medium |
4.6 | undici-7.16.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-0933
Vulnerable Library - wrangler-4.33.0.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-4.33.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- ❌ wrangler-4.33.0.tgz (Vulnerable Library)
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
- Run any shell command.
- Exfiltrate environment variables.
- Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation - Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
- Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
- Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Publish Date: 2026-01-20
URL: CVE-2026-0933
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-20
Fix Resolution (wrangler): 4.59.1
Direct dependency fix Resolution (@storm-stack/plugin-cloudflare): 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-2229
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1528
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: 2026-03-12
URL: CVE-2026-1528
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-f269-vfmq-vjvj
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1526
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1525
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences: - Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-22036
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 7.18.2
Direct dependency fix Resolution (@storm-stack/plugin-cloudflare): 0.32.0
Step up your Open Source Security Game with Mend here
CVE-2026-1527
Vulnerable Library - undici-7.16.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-cloudflare-0.31.0.tgz (Root Library)
- vite-plugin-1.12.3.tgz
- miniflare-4.20250902.0.tgz
- ❌ undici-7.16.0.tgz (Vulnerable Library)
- miniflare-4.20250902.0.tgz
- vite-plugin-1.12.3.tgz
Found in base branch: main
Vulnerability Details
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += "connection: upgrade\r\nupgrade: ${upgrade}\r\n"
}
Publish Date: 2026-03-12
URL: CVE-2026-1527
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4992-7rv2-5pvq
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here