Commit 03baa36
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency undici to v7.24.0 [security] (#3257)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [undici](https://undici.nodejs.org)
([source](https://redirect.github.com/nodejs/undici)) | [`7.22.0` →
`7.24.0`](https://renovatebot.com/diffs/npm/undici/7.22.0/7.24.0) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-1528](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj)
### Impact
A server can reply with a WebSocket frame using the 64-bit length form
and an extremely large length. undici's ByteParser overflows internal
math, ends up in an invalid state, and throws a fatal TypeError that
terminates the process.
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade
to this version or later.
### Workarounds
There are no workarounds.
####
[CVE-2026-1525](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm)
### Impact
Undici allows duplicate HTTP `Content-Length` headers when they are
provided in an array with case-variant names (e.g., `Content-Length` and
`content-length`). This produces malformed HTTP/1.1 requests with
multiple conflicting `Content-Length` values on the wire.
**Who is impacted:**
- Applications using `undici.request()`, `undici.Client`, or similar
low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without
case-normalization
**Potential consequences:**
- **Denial of Service**: Strict HTTP parsers (proxies, servers) will
reject requests with duplicate `Content-Length` headers (400 Bad
Request)
- **HTTP Request Smuggling**: In deployments where an intermediary and
backend interpret duplicate headers inconsistently (e.g., one uses the
first value, the other uses the last), this can enable request smuggling
attacks leading to ACL bypass, cache poisoning, or credential hijacking
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade
to this version or later.
### Workarounds
If upgrading is not immediately possible:
1. **Validate header names**: Ensure no duplicate `Content-Length`
headers (case-insensitive) are present before passing headers to undici
2. **Use object format**: Pass headers as a plain object (`{
'content-length': '123' }`) rather than an array, which naturally
deduplicates by key
3. **Sanitize user input**: If headers originate from user input,
normalize header names to lowercase and reject duplicates
####
[CVE-2026-2581](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h)
## Impact
This is an uncontrolled resource consumption vulnerability (CWE-400)
that can lead to Denial of Service (DoS).
In vulnerable Undici versions, when `interceptors.deduplicate()` is
enabled, response data for deduplicated requests could be accumulated in
memory for downstream handlers. An attacker-controlled or untrusted
upstream endpoint can exploit this with large/chunked responses and
concurrent identical requests, causing high memory usage and potential
OOM process termination.
Impacted users are applications that use Undici’s deduplication
interceptor against endpoints that may produce large or long-lived
response bodies.
## Patches
The issue has been patched by changing deduplication behavior to stream
response chunks to downstream handlers as they arrive (instead of
full-body accumulation), and by preventing late deduplication when body
streaming has already started.
Users should upgrade to the first official Undici (and Node.js, where
applicable) releases that include this patch.
## Workarounds
If upgrading immediately is not possible:
- Disable `interceptors.deduplicate()` for affected clients/routes.
- Use `skipHeaderNames` with a marker header to force high-risk requests
to bypass deduplication.
- Avoid concurrent identical requests to untrusted endpoints that may
return very large/chunked bodies.
- Apply upstream/proxy response-size and timeout limits.
####
[CVE-2026-1527](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq)
### Impact
When an application passes user-controlled input to the `upgrade` option
of `client.request()`, an attacker can inject CRLF sequences (`\r\n`)
to:
1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to
non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the `upgrade` value
directly to the socket without validating for invalid header characters:
```javascript
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
```
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade
to this version or later.
### Workarounds
Sanitize the `upgrade` option string before passing to undici:
```javascript
function sanitizeUpgrade(value) {
if (/[\r\n]/.test(value)) {
throw new Error('Invalid upgrade value')
}
return value
}
client.request({
upgrade: sanitizeUpgrade(userInput)
})
```
####
[CVE-2026-1526](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q)
## Description
The undici WebSocket client is vulnerable to a denial-of-service attack
via unbounded memory consumption during permessage-deflate
decompression. When a WebSocket connection negotiates the
permessage-deflate extension, the client decompresses incoming
compressed frames without enforcing any limit on the decompressed data
size. A malicious WebSocket server can send a small compressed frame (a
"decompression bomb") that expands to an extremely large size in memory,
causing the Node.js process to exhaust available memory and crash or
become unresponsive.
The vulnerability exists in the `PerMessageDeflate.decompress()` method,
which accumulates all decompressed chunks in memory and concatenates
them into a single Buffer without checking whether the total size
exceeds a safe threshold.
## Impact
- Remote denial of service against any Node.js application using
undici's WebSocket client
- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB
or more
- Memory exhaustion occurs in native/external memory, bypassing V8 heap
limits
- No application-level mitigation is possible as decompression occurs
before message delivery
### Patches
Users should upgrade to fixed versions.
### Workarounds
No workaround are possible.
####
[CVE-2026-2229](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8)
### Impact
The undici WebSocket client is vulnerable to a denial-of-service attack
due to improper validation of the `server_max_window_bits` parameter in
the permessage-deflate extension. When a WebSocket client connects to a
server, it automatically advertises support for permessage-deflate
compression. A malicious server can respond with an out-of-range
`server_max_window_bits` value (outside zlib's valid range of 8-15).
When the server subsequently sends a compressed frame, the client
attempts to create a zlib InflateRaw instance with the invalid
windowBits value, causing a synchronous RangeError exception that is not
caught, resulting in immediate process termination.
The vulnerability exists because:
1. The `isValidClientWindowBits()` function only validates that the
value contains ASCII digits, not that it falls within the valid range
8-15
2. The `createInflateRaw()` call is not wrapped in a try-catch block
3. The resulting exception propagates up through the call stack and
crashes the Node.js process
### Patches
_Has the problem been patched? What versions should users upgrade to?_
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without
upgrading?_
---
### Release Notes
<details>
<summary>nodejs/undici (undici)</summary>
###
[`v7.24.0`](https://redirect.github.com/nodejs/undici/releases/tag/v7.24.0)
[Compare
Source](https://redirect.github.com/nodejs/undici/compare/v7.23.0...v7.24.0)
#### What's Changed
**Full Changelog**:
<nodejs/undici@v7.23.0...v7.24.0>
###
[`v7.23.0`](https://redirect.github.com/nodejs/undici/compare/v7.22.0...fbda3c166860772dd80b2577175617d9dddcdb81)
[Compare
Source](https://redirect.github.com/nodejs/undici/compare/v7.22.0...v7.23.0)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/RobinTail/express-zod-api).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent f9d8681 commit 03baa36
2 files changed
Lines changed: 5 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| 39 | + | |
39 | 40 | | |
40 | 41 | | |
41 | 42 | | |
| |||
0 commit comments