Skip to content

chore(deps): update dependency undici to v6 [security]#418

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability
Open

chore(deps): update dependency undici to v6 [security]#418
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
undici (source) ^8.0.0^6.0.0 age confidence

Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential consequences:

  • Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  • HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

  1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
  2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
  3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nodejs/undici (undici)

v6.24.0

Compare Source

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v6.23.0

Compare Source

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

v6.19.2

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

v6.19.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

v6.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

v6.18.2

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.18.1...v6.18.2

v6.18.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.18.0...v6.18.1

v6.18.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.17.0...v6.18.0

v6.17.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.16.1...v6.17.0

v6.16.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.16.0...v6.16.1

v6.16.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.15.0...v6.16.0

v6.15.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.14.1...v6.15.0

v6.14.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.14.0...v6.14.1

v6.14.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.13.0...v6.14.0

v6.13.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.12.0...v6.13.0

v6.12.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.11.1...v6.12.0

v6.11.1

Compare Source

⚠️ Security Release ⚠️

What's Changed

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/foundry-erc20/lib/openzeppelin-contracts/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: openzeppelin-solidity@5.0.0
npm error Found: hardhat@3.9.1
npm error node_modules/hardhat
npm error   dev hardhat@"^3.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer hardhat@"^2.28.0" from @nomicfoundation/hardhat-ethers@3.1.3
npm error node_modules/@nomicfoundation/hardhat-ethers
npm error   dev @nomicfoundation/hardhat-ethers@"^3.1.3" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-06T17_16_52_409Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-06T17_16_52_409Z-debug-0.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants