undici 7.23.0

Direct Vulnerabilities

Known vulnerabilities in the undici package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M CRLF Injection undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to CRLF Injection via the `upgrade` option of the `client.request()` function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTTP requests by sending specially crafted input, potentially leading to unauthorized information disclosure or bypassing of security controls. How to fix CRLF Injection? Upgrade `undici` to version 6.24.0, 7.24.0 or higher.	<6.24.0>=7.0.0-alpha.1 <7.24.0
H Uncaught Exception undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. An attacker can cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw instance. How to fix Uncaught Exception? Upgrade `undici` to version 6.24.0, 7.24.0 or higher.	<6.24.0>=7.0.0-alpha.1 <7.24.0
H Improper Handling of Highly Compressed Data (Data Amplification) undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the `PerMessageDeflate.decompress()` method of the permessage-deflate extension. An attacker can cause excessive memory usage by sending specially crafted compressed WebSocket frames that decompress to a very large size, potentially leading to process crashes or unresponsiveness. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? Upgrade `undici` to version 6.24.0, 7.24.0 or higher.	<6.24.0>=7.0.0-alpha.1 <7.24.0
H Allocation of Resources Without Limits or Throttling undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `deduplication-handler` component when interceptors.deduplicate() is enabled. An attacker can cause excessive memory consumption and potential application termination by sending large or chunked responses along with concurrent identical requests from an untrusted endpoint. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `undici` to version 7.24.0 or higher.	>=7.17.0 <7.24.0
H Uncaught Exception undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to terminate unexpectedly by sending such a frame, resulting in a fatal TypeError and service disruption. How to fix Uncaught Exception? Upgrade `undici` to version 6.24.0, 7.24.0 or higher.	>=6.0.0 <6.24.0>=7.0.0-alpha.1 <7.24.0
M HTTP Request Smuggling undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to HTTP Request Smuggling in the `processHeader()` while handling HTTP/1.1 requests containing duplicate `Content-Length` headers with differing casing. An attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend servers. How to fix HTTP Request Smuggling? Upgrade `undici` to version 6.24.0, 7.24.0 or higher.	<6.24.0>=7.0.0-alpha.1 <7.24.0

Vulnerability

Vulnerable Version

CRLF Injection