Latest nodejs undici Vulnerabilities

CVE-2023-45143
Undici's cookie header not cleared on cross-origin redirect in fetch
Nodejs Undici<5.26.2
npm/undici<5.26.2
redhat/node-undici<5.26.2
Fedoraproject Fedora=37
Fedoraproject Fedora=38
Fedoraproject Fedora=39
CVE-2023-23936
Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulne...
redhat/nodejs<18-9020020230327152102.rhel9
redhat/nodejs<1:16.19.1-1.el9_2
redhat/nodejs<1:16.20.2-1.el9_0
Nodejs Node.js>=16.0.0<16.19.1
Nodejs Node.js>=18.0.0<18.14.1
Nodejs Node.js>=19.0.0<19.6.1
and 2 more
CVE-2023-24807
Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-c...
redhat/nodejs<18-9020020230327152102.rhel9
redhat/nodejs<1:16.19.1-1.el9_2
redhat/nodejs<1:16.20.2-1.el9_0
Nodejs Undici<5.19.1
IBM Cognos Dashboards on Cloud Pak for Data<=4.7.0
CVE-2022-35948
A flaw was found in the undici package. When requesting unsanitized input on content-type headers, it is possible to inject additional requests via Carriage Return/Line Feed (CRLF).
Nodejs Undici<5.8.2
CVE-2022-35949
A Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location...
Nodejs Undici<=5.8.1
CVE-2022-31151
A flaw was found in the undici package. After cookie headers are set, they are not cleared. This issue could allow an attacker to take advantage of this cookie, which could be used to control the redi...
Nodejs Undici<5.7.1
CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0....
Nodejs Undici<5.8.0
CVE-2022-32210
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if...
Nodejs Undici>=4.8.2<5.5.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203