Do Son 
- Product: undici (npm)
- Vulnerabilities: 4 flaws (CVE-2026-6734, CVE-2026-9697, CVE-2026-12151, CVE-2026-9675)
- Highest severity: 7.5 (High · CVSSv3)
- Worst impact: vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
- Status: No confirmed exploitation yet; patches available
- Action: Update to 7.28.0, 8.2.0, 7.26.0, 8.5.0 (+2) now
| CVE | CVSS (CVSSv3) | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-6734 | 7.5 | vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse | 7.26.0, 8.2.0, 7.28.0 | Not exploited |
| CVE-2026-12151 | 7.5 | WebSocket client vulnerable to denial of service via fragment count bypass | 6.26.0, 7.28.0, 8.5.0 (+1) | Not exploited |
| CVE-2026-9675 | 7.5 | WebSocket client vulnerable to denial of service via cumulative fragment bypass | 8.5.0 | Not exploited |
| CVE-2026-9697 | 7.4 | vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent | 7.28.0, 8.5.0 | Not exploited |
TL;DR
Maintainers have disclosed four undici vulnerabilities in the widely used Node.js HTTP client. The package draws over 133 million weekly downloads, so the blast radius is large. Two flaws cause denial of service. Two more weaken SOCKS5 proxy security. No in-the-wild exploitation has been confirmed.
Why it matters
undici ships inside Node.js itself and powers countless apps. With 133 million weekly downloads, even narrow bugs reach a vast user base. The proxy flaws carry the most weight. They can route credentials to the wrong server or break TLS pinning. That opens the door to data leaks and machine-in-the-middle attacks. Apps that pair a SOCKS5 proxy with multiple origins face the highest risk.
How the attacks work
The first proxy bug, CVE-2026-6734, stems from connection pool reuse. When a SOCKS5 proxy agent serves several origins, undici reuses one pool. As a result, requests for origin B can travel to origin A. Credentials and data reach the wrong destination, and HTTPS may silently drop to HTTP.
The second proxy bug, CVE-2026-9697, drops the requestTls option over SOCKS5. The connection then falls back to Node’s default trust store. Custom CA pins get ignored, so any publicly trusted certificate is accepted. This enables MITM read and tamper.
The two WebSocket flaws, CVE-2026-12151 and CVE-2026-9675, cause denial of service. A malicious server streams many small or empty fragments. Each frame passes validation, yet memory grows without bound until the process crashes. Apps that connect to untrusted WebSocket endpoints are most exposed.
Affected versions
The SOCKS5 flaws arrived in undici 7.23.0. CVE-2026-6734 affects releases through 8.1.0. The fragment-count DoS affects builds from 6.17.0 onward. The cumulative-fragment DoS is a regression specific to 8.1.0. The v6.25.0 line shipped the cumulative check early and stays safe from that regression.
Patch and mitigation
Fixes are available now. Update to undici v6.27.0, v7.28.0, v8.2.0, or v8.5.0, depending on your branch. The v8.5.0 release covers all four issues. Check the official undici security advisories on GitHub for the exact version mapping. You can also pull the latest build from the undici npm page. No public proof-of-concept has been confirmed. Still, the broad reach of these undici vulnerabilities makes prompt patching wise. Audit transitive dependencies too, since many libraries bundle undici. If you cannot upgrade, use a separate SOCKS5 agent per origin as a stopgap.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
