CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22150 – Undici Uses Insufficiently Random Values
https://notcve.org/view.php?id=CVE-2025-22150
21 Jan 2025 — Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the... • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f • CWE-330: Use of Insufficiently Random Values •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-30260 – Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
https://notcve.org/view.php?id=CVE-2024-30260
04 Apr 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. • https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24758 – Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
https://notcve.org/view.php?id=CVE-2024-24758
16 Feb 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 1%CPEs: 4EXPL: 0CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
12 Oct 2023 — Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to a... • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 1%CPEs: 4EXPL: 1CVE-2023-23936 – CRLF Injection in Nodejs ‘undici’ via host
https://notcve.org/view.php?id=CVE-2023-23936
16 Feb 2023 — Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. • https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24807 – Undici vulnerable to Regular Expression Denial of Service in Headers
https://notcve.org/view.php?id=CVE-2023-24807
16 Feb 2023 — Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. • https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf • CWE-20: Improper Input Validation CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35948 – CRLF Injection in Nodejs ‘undici’ via Content-Type
https://notcve.org/view.php?id=CVE-2022-35948
13 Aug 2022 — undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform... • https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35949 – `undici.request` vulnerable to SSRF using absolute URL on `pathname`
https://notcve.org/view.php?id=CVE-2022-35949
12 Aug 2022 — undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.... • https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31151 – Uncleared cookies on cross-host/cross-origin redirect in undici
https://notcve.org/view.php?id=CVE-2022-31151
20 Jul 2022 — Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. • https://github.com/nodejs/undici/issues/872 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31150 – CRLF injection in request headers
https://notcve.org/view.php?id=CVE-2022-31150
19 Jul 2022 — undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Es posible inyectar secuencias de tipo CRLF en los encabezados de las peticiones en undici en versiones anteriores a 5.7.1. • https://github.com/nodejs/undici/releases/tag/v5.8.0 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •