⚠️ Security Release
This release line addresses 8 security advisories. Most are fixed in
v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.
Action required: Upgrade to undici 8.5.0 or later.
npm install undici@^8.5.0
Summary
| Advisory | CVE | Severity (CVSS) | Fixed in | Fix commit |
|---|---|---|---|---|
| GHSA-vxpw-j846-p89q | CVE-2026-12151 | High (7.5) | 8.5.0 | 32dbf0b3 |
| GHSA-38rv-x7px-6hhq | CVE-2026-9675 | High (7.5) | 8.5.0 | b4c287b3 |
| GHSA-vmh5-mc38-953g | CVE-2026-9697 | High (7.4) | 8.5.0 | 42d49559 |
| GHSA-hm92-r4w5-c3mj | CVE-2026-6734 | High (7.5) | 8.2.0 | a516f870 |
| GHSA-pr7r-676h-xcf6 | CVE-2026-9678 | Moderate (5.9) | 8.5.0 | cb105d7c |
| GHSA-p88m-4jfj-68fv | CVE-2026-9679 | Moderate (5.9) | 8.5.0 | 5655ea43 |
| GHSA-g8m3-5g58-fq7m | CVE-2026-11525 | Low (3.7) | 8.5.0 | 5655ea43 |
| GHSA-35p6-xmwp-9g52 | CVE-2026-6733 | Low (3.7) | 8.5.0 | 6ea54ef8 |
High severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)
A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.
- Affected: applications using
new WebSocket(...)orWebSocketStream
against untrusted endpoints. - Workaround: none — upgrade is required.
WebSocket DoS via cumulative fragment bypass — CVE-2026-9675
GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix: b4c287b3 fix(websocket): enforce max payload size across fragments
Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
6.x and 7.x lines are not affected).
- Workaround: none — upgrade is required.
TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697
GHSA-vmh5-mc38-953g · CWE-295
Fix: 42d49559 fix: honor requestTls when proxy is SOCKS5
The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.
- Affected:
ProxyAgent/Socks5ProxyAgentover SOCKS5 that rely on
requestTls. - Workaround: route traffic through an HTTP-proxy
ProxyAgent, where
requestTlsfunctions correctly.
Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734
GHSA-hm92-r4w5-c3mj · CWE-346 · Fixed in 8.2.0
Fix: a516f870 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)
Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.
- Affected: applications using
Socks5ProxyAgentacross multiple origins
(introduced via #4385). - Workaround: use a separate agent instance per origin.
Moderate severity
Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678
GHSA-pr7r-676h-xcf6 · CWE-524
Fix: cb105d7c fix(cache): trim qualified field names
The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.
- Affected: apps using the cache interceptor in shared mode that forward
Authorizationupstream and receive non-canonical qualified directives. - Workaround: disable shared-cache mode for authenticated traffic, avoid
caching authenticated responses, or addVary: Authorizationupstream.
HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679
GHSA-p88m-4jfj-68fv · CWE-93
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly
parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.
- Workaround: sanitize values before forwarding — strip or reject CR, LF,
NUL,;, and=.
Low severity
Set-Cookie SameSite attribute downgrade — CVE-2026-11525
GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly
The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.
HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733
GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: 6ea54ef8 fix: guard idle socket validation to skip fresh sockets, hardened by c9fbe9d2 keep idle validation on native timers (#5397) and ac5394b8 keep idle validation on global timers (#5407)
An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.
- Requirements: attacker-controlled/compromised upstream and active
keep-alive reuse. - Workaround: disable keep-alive reuse with
keepAliveTimeout: 0on the
Client or Pool.
Also in v8.5.0 (non-security)
v8.5.0 shipped the security fixes above alongside the following changes. These
are not security fixes — they are listed for completeness of the release. (The
two queue-poisoning hardening PRs, #5397
and #5407, are covered under
CVE-2026-6733 above and are not repeated here.)
- HTTP/2:
#5408don't rewindkPendingIdxpast in-flight requests ·#5391allow h2 POST request multiplexing ·#5406reap idle HTTP/2 sessions ·#5410preserve h2 queue on out-of-order completion - Features:
#5416addbodyMixin.textStream()·#5418align EventSource with spec - Docs / CI / tests:
#5413document request header validation ·#5383absorb h2 stream timeout resets (test) ·#5420remove stale repro + lint ·#5426extend Windows CI timeout ·#5427detect available python in WPT runner
Full changelog: v8.4.1...v8.5.0.
Credits
Per-advisory credits (as recorded in each GHSA):
- CVE-2026-12151 — reported by @lpinca & @Nadav0077; reviewed by @UlisesGascon.
- CVE-2026-9675 — reported by @mauriceng98 & @Str1ckl4nd; fixed by @mcollina & @KhafraDev; reviewed by @UlisesGascon.
- CVE-2026-9697 — reported by @tonghuaroot; reviewed by @UlisesGascon.
- CVE-2026-6734 — reported by @ChALkeR; reviewed by @mcollina; verified by @UlisesGascon.
- CVE-2026-9678 — fixed by @mcollina; reviewed by @UlisesGascon.
- CVE-2026-9679 — reported by @tndud042713; fixed by @mcollina; reviewed by @KhafraDev & @UlisesGascon.
- CVE-2026-11525 — fixed by @mcollina; reviewed by @UlisesGascon.
- CVE-2026-6733 — fixed by @mcollina; verified by @UlisesGascon.