>= 4.8.2, < 5.5.1
HIGH7.5CVE-2026-1526Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression from 0, < 6.24.0
HIGH7.5CVE-2026-2229Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation from 0, < 6.24.0
HIGH7.5Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
>= 6.0.0, < 6.24.0
HIGH7.5Regular Expression Denial of Service in Headers
from 0, < 5.19.1
MEDIUM6.8Use of Insufficiently Random Values in undici
>= 4.5.0, < 5.28.5
MEDIUM6.5Undici has an HTTP Request/Response Smuggling issue
from 0, < 6.24.0
MEDIUM6.5fetch(url) leads to a memory leak in undici
>= 6.0.0, < 6.6.1
MEDIUM5.9Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
>= 7.17.0, < 7.24.0
MEDIUM5.9Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
>= 7.0.0, < 7.18.2
MEDIUM5.3Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
from 0, < 5.8.2
MEDIUM5.3`undici.request` vulnerable to SSRF using absolute URL on `pathname`
from 0, < 5.8.2
MEDIUM5.3undici before v5.8.0 vulnerable to CRLF injection in request headers
from 0, < 5.8.0
MEDIUM4.6Undici has CRLF Injection in undici via `upgrade` option
from 0, < 6.24.0
MEDIUM4.6CRLF Injection in Nodejs ‘undici’ via host
>= 2.0.0, < 5.19.1
LOW3.9Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
from 0, < 5.28.4
LOW3.9Undici proxy-authorization header not cleared on cross-origin redirect in fetch
from 0, < 5.28.3
LOW3.9Undici's cookie header not cleared on cross-origin redirect in fetch
from 0, < 5.26.2
LOW3.7undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
from 0, < 5.8.0
LOW3.1undici Denial of Service attack via bad certificate data
from 0, < 5.29.0
LOW2.6Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
from 0, < 5.28.4
LOW2.0Undici vulnerable to data leak when using response.arrayBuffer()
>= 6.14.0, < 6.19.2