Skip to content

Update undici to resolve high-severity vulnerabilities#251

Merged
kriszyp merged 1 commit intomainfrom
update-undici
Mar 18, 2026
Merged

Update undici to resolve high-severity vulnerabilities#251
kriszyp merged 1 commit intomainfrom
update-undici

Conversation

@cb1kenobi
Copy link
Copy Markdown
Contributor

@cb1kenobi cb1kenobi commented Mar 18, 2026
edited
Loading

undici 7.0.0 - 7.23.0 have high severity vulnerabilities:

  • Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - GHSA-f269-vfmq-vjvj
  • Undici has an HTTP Request/Response Smuggling issue - GHSA-2mjp-6q6p-2qxm
  • Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - GHSA-vrm6-8vpv-qv8q
  • Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - GHSA-v9p9-hfj2-hcw8
  • Undici has CRLF Injection in undici via upgrade option - GHSA-4992-7rv2-5pvq
  • Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - GHSA-phc3-fgpg-7m6h

@cb1kenobi cb1kenobi requested a review from a team as a code owner March 18, 2026 19:16
@kriszyp kriszyp merged commit fbb518b into main Mar 18, 2026
20 of 22 checks passed
@kriszyp kriszyp deleted the update-undici branch March 18, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kriszyp kriszyp kriszyp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cb1kenobi @kriszyp