Homepage

undici@7.3.0

An HTTP/1.1 client, written from scratch for Node.js

  • latest version

    7.24.6

  • latest non vulnerable version

    7.24.6

  • first published

    7 years ago

  • latest version published

    5 days ago

  • licenses detected

  • View undici package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the undici package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    CRLF Injection

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to CRLF Injection via the upgrade option of the client.request() function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTTP requests by sending specially crafted input, potentially leading to unauthorized information disclosure or bypassing of security controls.

    How to fix CRLF Injection?

    Upgrade undici to version 6.24.0, 7.24.0 or higher.

    <6.24.0>=7.0.0-alpha.1 <7.24.0
    • H
    Uncaught Exception

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the server_max_window_bits parameter in the permessage-deflate extension. An attacker can cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw instance.

    How to fix Uncaught Exception?

    Upgrade undici to version 6.24.0, 7.24.0 or higher.

    <6.24.0>=7.0.0-alpha.1 <7.24.0
    • H
    Improper Handling of Highly Compressed Data (Data Amplification)

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker can cause excessive memory usage by sending specially crafted compressed WebSocket frames that decompress to a very large size, potentially leading to process crashes or unresponsiveness.

    How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

    Upgrade undici to version 6.24.0, 7.24.0 or higher.

    <6.24.0>=7.0.0-alpha.1 <7.24.0
    • H
    Uncaught Exception

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to terminate unexpectedly by sending such a frame, resulting in a fatal TypeError and service disruption.

    How to fix Uncaught Exception?

    Upgrade undici to version 6.24.0, 7.24.0 or higher.

    >=6.0.0 <6.24.0>=7.0.0-alpha.1 <7.24.0
    • M
    HTTP Request Smuggling

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to HTTP Request Smuggling in the processHeader() while handling HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend servers.

    How to fix HTTP Request Smuggling?

    Upgrade undici to version 6.24.0, 7.24.0 or higher.

    <6.24.0>=7.0.0-alpha.1 <7.24.0
    • M
    Allocation of Resources Without Limits or Throttling

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade undici to version 6.23.0, 7.18.2 or higher.

    <6.23.0>=7.0.0-alpha.2 <7.18.2
    • L
    Missing Release of Memory after Effective Lifetime

    undici is an An HTTP/1.1 client, written from scratch for Node.js

    Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper handling of invalid certificate data. An attacker can cause a memory leak by setting up a server with a bad certificate and inducing the application to repeatedly call a webhook-like system.

    How to fix Missing Release of Memory after Effective Lifetime?

    Upgrade undici to version 5.29.0, 6.21.2, 7.5.0 or higher.

    <5.29.0>=6.0.0 <6.21.2>=7.0.0 <7.5.0
    Go back to all versions of this package