Undici v7.24.0 Security Release Notes
This release addresses multiple security vulnerabilities in Undici.
Upgrade guidance
All users on v7 should upgrade to v7.24.0 or later.
Fixed advisories
-
GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue). -
GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client. -
GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk). -
GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via theupgradeoption. -
GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalidserver_max_window_bitsin WebSocket permessage-deflate negotiation. -
GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.
Affected and patched ranges
- CVE-2026-1525: affected
7.0.0 < 7.24.0, patched7.24.0 - CVE-2026-1528: affected
7.0.0 < 7.24.0, patched7.24.0 - CVE-2026-2581: affected
>= 7.17.0 < 7.24.0, patched7.24.0 - CVE-2026-1527: affected
7.0.0 < 7.24.0, patched7.24.0 - CVE-2026-2229: affected
7.0.0 < 7.24.0, patched7.24.0 - CVE-2026-1526: affected
7.0.0 < 7.24.0, patched7.24.0
References
- GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
- NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
- NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
- NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
- NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
- NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
- NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526