chore(deps): update dependency undici to v7.28.0 [security]#1254
Merged
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
travi
approved these changes
Jun 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.26.0→7.28.0undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
CVE-2026-9678 / GHSA-pr7r-676h-xcf6
More information
Details
Impact
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream
Cache-Controlheader uses whitespace-padded qualifiedprivateorno-cachefield names such asprivate=" authorization"orno-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literalauthorizationfield name fail and the response is stored.In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (
interceptors.cache()) in shared mode, forwardAuthorizationheaders upstream, and receive cacheable responses with non-canonical qualifiedprivateorno-cachedirectives.Patches
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, disable shared-cache mode for traffic that includes
Authorizationheaders, avoid caching responses to authenticated requests, or addVary: Authorizationupstream.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
CVE-2026-9697 / GHSA-vmh5-mc38-953g
More information
Details
Impact
undici's
ProxyAgentsilently drops therequestTlsoption when configured with a SOCKS5 proxy URI (socks5://orsocks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configuredca,cert,key,rejectUnauthorized, andservernamesettings.Applications that pin to an internal or corporate CA via
requestTls.cawill, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.Affected applications are those that use undici's
ProxyAgent(orSocks5ProxyAgentdirectly) with SOCKS5 AND rely onrequestTlsfor TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.Patches
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds
No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy
ProxyAgentinstead, whererequestTlsis honored correctly.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nodejs/undici (undici)
v7.28.0Compare Source
This release line addresses 7 security advisories, all shipped in v7.28.0.
The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is
an 8.x-only regression.
Summary
8cb10f9804201f893805b8f885a24055d0574cc4d0574cc4ea8930cfHigh severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix:
8cb10f98websocket: limit the number of fragments in a message (part of backporta027a4a0Backport WebSocket maxPayloadSize fixes to v7.x, #5423)A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.
new WebSocket(...)orWebSocketStreamagainst untrusted endpoints.
TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697
GHSA-vmh5-mc38-953g · CWE-295
Fix:
04201f89fix: honor requestTls when proxy is SOCKS5 (#5417)The
ProxyAgentsilently discarded therequestTlsoption when configured witha SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as
ca,cert,key,rejectUnauthorized, andservername,falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.
ProxyAgent/Socks5ProxyAgentover SOCKS5 that rely onrequestTls.ProxyAgent, whererequestTlsfunctions correctly.Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734
GHSA-hm92-r4w5-c3mj · CWE-346
Fix:
3805b8f8fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)Socks5ProxyAgentreused a single connection pool across different originswithout verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.
Socks5ProxyAgentacross multiple origins(introduced in 7.23.0 via #4385).
Moderate severity
Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678
GHSA-pr7r-676h-xcf6 · CWE-524
Fix:
85a24055fix(cache): trim qualified field namesThe cache interceptor mishandled responses with whitespace-padded
Cache-Controldirectives such asprivate=" authorization". In shared-cachemode this could cause authenticated data to be cached and served to other users.
Authorizationupstream and receive non-canonical qualified directives.caching authenticated responses, or add
Vary: Authorizationupstream.HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679
GHSA-p88m-4jfj-68fv · CWE-93
Fix:
d0574cc4fix(cookies): preserve values and parse SameSite strictlyparseSetCookieapplied percent-decoding to cookie values, turning encodedsequences like
%0D%0Aand%00into literal bytes, contrary to RFC 6265 §5.4and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.
NUL,
;, and=.Low severity
Set-Cookie SameSite attribute downgrade — CVE-2026-11525
GHSA-g8m3-5g58-fq7m · CWE-183
Fix:
d0574cc4fix(cookies): preserve values and parse SameSite strictlyThe cookie parser accepted
SameSitevalues containingStrict,Lax, orNoneas substrings rather than requiring exact matches per RFC 6265. Valueslike
SameSite=NoneOfYourBusinessparsed asNone, andSameSite=StrictLaxparsed as
Lax, silently weakening cookie security policies for apps thatforward parsed attributes.
HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733
GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix:
ea8930cffix: guard idle socket validation to skip fresh sockets, hardened by8e4046e4keep idle validation on native timers (#5402) and0fa80869keep idle validation on global timers (#5409)An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.
keep-alive reuse.
keepAliveTimeout: 0on theClient or Pool.
Release contents & deliberate backports
v7.28.0 is a security-only release — every change in it is one of the fixes
above, backported to the v7.x maintenance line on purpose from the v8
development line:
#5423— backport of the WebSocketmaxPayloadSizefragment-count / cumulative-size limits (CVE-2026-12151).#5402ᔡ— backport of the idle-validation hardening (native + global timers) for the queue-poisoning fix (CVE-2026-6733).#5417—requestTlsover SOCKS5 fix (CVE-2026-9697).The cookie (
d0574cc4),cache (
85a24055) andqueue-poisoning core (
ea8930cf)fixes were applied directly to the v7.x branch. Full changelog:
v7.27.2...v7.28.0.Credits
Per-advisory credits (as recorded in each GHSA):
v7.27.2Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.27.1...v7.27.2
v7.27.1Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.27.0...v7.27.1
v7.27.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.26.0...v7.27.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.