Your message dated Sat, 20 Jun 2026 14:34:45 +0000
with message-id <[email protected]>
and subject line Bug#1140363: fixed in node-undici 8.5.0+dfsg+~cs3.2.0-1
has caused the Debian Bug report #1140363,
regarding node-undici: CVE-2026-6733 CVE-2026-6734 CVE-2026-9678 CVE-2026-9679
CVE-2026-9697 CVE-2026-11525 CVE-2026-12151
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140363
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-undici
Version: 7.24.6+dfsg+~cs3.2.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-undici.
CVE-2026-6733[0]:
| Impact: Undici's HTTP/1.1 client is vulnerable to response queue
| poisoning on reused keep-alive sockets. An attacker-controlled
| upstream server can inject an unsolicited HTTP/1.1 response onto an
| idle socket after a request completes. When the client dispatches
| the next request on that socket, it associates the injected response
| with the new request, causing responses to be delivered to the wrong
| requests. This requires an attacker-controlled or compromised
| upstream HTTP/1.1 server and keep-alive connection reuse. Patches:
| Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable
| keep-alive connection reuse by setting keepAliveTimeout: 0 on the
| Client or Pool.
CVE-2026-6734[1]:
| Impact: When using Socks5ProxyAgent, undici reuses a single
| connection pool across different origins without verifying that the
| pool's origin matches the requested origin. All requests are
| dispatched through the pool connected to the first origin,
| regardless of the intended destination. This causes cross-origin
| request routing: credentials and request data intended for origin B
| are sent to origin A, responses from the wrong origin are trusted,
| and HTTPS requests may be silently downgraded to HTTP. Impacted
| users are applications that use Socks5ProxyAgent (directly or via
| setGlobalDispatcher) and make requests to more than one origin.
| This was introduced in undici 7.23.0 via PR #4385 and affects all
| versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or
| v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per
| origin, or avoid using Socks5ProxyAgent with multiple origins.
CVE-2026-9678[2]:
| Impact: Undici's cache interceptor incorrectly classifies some
| responses as cacheable when the upstream Cache-Control header uses
| whitespace-padded qualified private or no-cache field names such as
| private=" authorization" or no-cache="\tauthorization". The parser
| preserves the surrounding whitespace, so later comparisons against
| the literal authorization field name fail and the response is
| stored. In shared-cache mode, this allows a response containing one
| user's authenticated data to be served from cache to a subsequent
| caller, including an unauthenticated caller, when both requests
| resolve to the same cache key. Affected applications are those that
| explicitly enable the cache interceptor (interceptors.cache()) in
| shared mode, forward Authorization headers upstream, and receive
| cacheable responses with non-canonical qualified private or no-cache
| directives. Patches: Upgrade to undici v7.28.0 or v8.5.0.
| Workarounds: If upgrade is not immediately possible, disable shared-
| cache mode for traffic that includes Authorization headers, avoid
| caching responses to authenticated requests, or add Vary:
| Authorization upstream.
CVE-2026-9679[3]:
| Impact: undici's cookie parser in parseSetCookie percent-decodes
| cookie values via qsUnescape, turning encoded sequences like %0D%0A,
| %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4
| does not specify any decoding and browsers do not decode either.
| Applications that parse a Set-Cookie header and then forward the
| parsed value into a response header (proxies, middleware, SSR
| frameworks) become vulnerable to HTTP response header injection: an
| attacker-controlled upstream can inject arbitrary Set-Cookie,
| Location, or Cache-Control headers into the application's downstream
| response, enabling session fixation, open redirect, or cache
| poisoning. Affected applications are those that use undici's cookie
| parsing (parseSetCookie, parseCookie, getSetCookies) and forward the
| parsed cookie value into a response header. This was introduced in
| undici 7.0.0 via PR #3789. Patches: Upgrade to undici v6.26.0,
| v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately
| possible, do not forward values returned by
| parseSetCookie/parseCookie/getSetCookies directly into response
| headers; sanitize the value first to strip or reject CR, LF, NUL, ;,
| and = bytes.
CVE-2026-9697[4]:
| Impact: undici's ProxyAgent silently drops the requestTls option
| when configured with a SOCKS5 proxy URI (socks5:// or socks://). The
| target HTTPS connection through the SOCKS5 tunnel falls back to
| Node's default trust store, ignoring user-configured ca, cert, key,
| rejectUnauthorized, and servername settings. Applications that pin
| to an internal or corporate CA via requestTls.ca will, when their
| proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust
| anchor instead. Any cert signed by any publicly-trusted CA for the
| target hostname is accepted, breaking the intended pin and enabling
| MITM read and tamper of the HTTPS exchange. Affected applications
| are those that use undici's ProxyAgent (or Socks5ProxyAgent
| directly) with SOCKS5 AND rely on requestTls for TLS scope
| restriction. The bug was introduced in undici 7.23.0 when SOCKS5
| support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0.
| Workarounds: No workaround is available within the SOCKS5 path. If a
| SOCKS5 proxy with TLS scope restriction is required and an upgrade
| is not yet possible, route the traffic through an HTTP-proxy
| ProxyAgent instead, where requestTls is honored correctly.
CVE-2026-11525[5]:
| Impact: When undici parses a Set-Cookie header, it accepts any
| SameSite attribute value that contains Strict, Lax, or None as a
| substring, rather than the case-insensitive exact match specified by
| RFC 6265. Non-spec values are silently mapped to one of the three
| standard tokens. For example, SameSite=NoneOfYourBusiness is parsed
| as None (the most permissive setting), and SameSite=StrictLax is
| parsed as Lax (a downgrade from Strict). Affected applications are
| those that consume Set-Cookie headers from server responses (for
| example via undici's fetch or proxy code paths) and then forward or
| rely on the parsed sameSite attribute. A malicious or non-compliant
| server can coerce the consumer's view of a cookie's SameSite policy
| to a weaker value, silently degrading the SameSite enforcement the
| cookie is supposed to provide. This was introduced in undici 5.15.0
| when the cookies feature was added. Patches: Upgrade to undici
| v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie
| header, validate that the resulting sameSite attribute is one of
| 'Strict', 'Lax', or 'None' (exact, case-insensitive) before
| forwarding or relying on it.
CVE-2026-12151[6]:
| Impact: The undici WebSocket client enforces maxPayloadSize on the
| cumulative byte count of fragments in a message but does not enforce
| a limit on the number of fragments. A malicious WebSocket server can
| stream many small or empty continuation frames that each pass per-
| frame and cumulative-size validation, collectively causing unbounded
| memory growth in the client process. The result is memory exhaustion
| and a denial of service. Affected applications are those using the
| undici WebSocket client (new WebSocket(...)) or the WebSocketStream
| API that can be induced to connect to an attacker-controlled or
| compromised WebSocket endpoint. All releases starting at undici
| 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >=
| 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The
| fix must be applied through an upgrade.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6733
https://www.cve.org/CVERecord?id=CVE-2026-6733
[1] https://security-tracker.debian.org/tracker/CVE-2026-6734
https://www.cve.org/CVERecord?id=CVE-2026-6734
[2] https://security-tracker.debian.org/tracker/CVE-2026-9678
https://www.cve.org/CVERecord?id=CVE-2026-9678
[3] https://security-tracker.debian.org/tracker/CVE-2026-9679
https://www.cve.org/CVERecord?id=CVE-2026-9679
[4] https://security-tracker.debian.org/tracker/CVE-2026-9697
https://www.cve.org/CVERecord?id=CVE-2026-9697
[5] https://security-tracker.debian.org/tracker/CVE-2026-11525
https://www.cve.org/CVERecord?id=CVE-2026-11525
[6] https://security-tracker.debian.org/tracker/CVE-2026-12151
https://www.cve.org/CVERecord?id=CVE-2026-12151
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-undici
Source-Version: 8.5.0+dfsg+~cs3.2.0-1
Done: Jérémy Lal <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <[email protected]> (supplier of updated node-undici package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 20 Jun 2026 15:47:40 +0200
Source: node-undici
Architecture: source
Version: 8.5.0+dfsg+~cs3.2.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Jérémy Lal <[email protected]>
Closes: 1140363
Changes:
node-undici (8.5.0+dfsg+~cs3.2.0-1) experimental; urgency=medium
.
* New upstream version 8.5.0+dfsg+~cs3.2.0.
Fixes the following vulnerabilities. Closes: #1140363.
High severity:
+ CVE-2026-12151: WebSocket DoS via fragment count bypass
+ CVE-2026-9697: TLS certificate validation bypass in SOCKS5 ProxyAgent
+ CVE-2026-6734: Cross-origin request routing via SOCKS5 proxy pool reuse
Medium severity:
+ CVE-2026-9678: Cross-user information disclosure via shared cache
whitespace bypass
+ CVE-2026-9679: HTTP header injection via Set-Cookie percent-decoding
Low severity:
+ CVE-2026-11525: Set-Cookie SameSite attribute downgrade
+ CVE-2026-6733: HTTP response queue poisoning via keep-alive socket reuse
* Drop applied patch
* Refresh patch
* Drop another test (release.js)
Checksums-Sha1:
78a6a44f6b223df03bcd01812f62a475e546d997 2696
node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc
1e975bdeff806d9ffb1cb822539a2d74b6b5ac17 40048
node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
b463f8fdbe5e05f5e3c7ef6fc7c183d093bf158e 697572
node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz
d5c9d0a15f5337b74d90c2a798cc15f64d3a978a 215640
node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz
7e7c763d97c11462161974141816658e0346f853 9600
node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo
Checksums-Sha256:
6fcc295a42341d9c507a3c28bf61858f6bb7c3915518ac73a403adbcc5cc72a7 2696
node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc
38d43f2df5ac3dcf51cc5a9866973fe5951f90bd44d9fab8dbf0dc2ed0f025f3 40048
node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
442501c3d1f2b544bc329a3fff4ddd31551603a22ca95a4d881daab16e1a893b 697572
node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz
8872039103fd48d532699d8bfb3c7d1068ab88d3b1bd03a3f13b79b48aec350d 215640
node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz
e0d75408fe33fa2aa9ffe685905506c819f452bee6f8068b4dd659e05292d5b9 9600
node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo
Files:
795d7b17e4d53d76a644d19fb8aae97d 2696 javascript optional
node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc
a03285069cc3d8477877fba2f1eabf2f 40048 javascript optional
node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
dc06aa89058ef76e7ad54e8442ab188f 697572 javascript optional
node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz
0041adc72ab259924535e935b3548811 215640 javascript optional
node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz
da0b51ba2f5c198fac0a9c76b8fb7665 9600 javascript optional
node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmo2nCgSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0oBIQAIGi2gwzdGoMNGdMQ2VuqfiCTrHF2f1W
rXeaNpCuOAykmb6Uur3a4tVkxmIBKd8miyT5KxQXXm/e3jD3r/wXb9rxUNmYMaAR
4rfWYfF8X1Xx5Mq4cRhHgudJLEzsI3+WgzBEMFOeIa237GYT6EoQfYEqU3dlAB3U
uGJdI64BnWHvumD0IBAW6o1qf38pVI9xzm/Wm9ORpttMIzVgTaVawVBy1qEtpMVS
W6Yq7lU3Z2wCIpeuFoCnnIPvn2+cUDunOP2+Ko4KLtWOiCVwe4wlKqbDYBWRVJnB
geQn4vRjYywJhth1S5udKDPEAL2fwOfU0pMNwe8CsyjXTd5Z0BbzLDb19/TWaWbH
5nLVnhC6jfHxC4IsP0VAfLF5IuRVyI6L9l4EYf8bvUISEwJHuTbC/10Qs35Lnxs7
0OImdz4/b7EiqluQCw3DDbtD9RGIp7wDXrdvDkWpHPxmtyDjDXZw15QrWPCSCAG7
6PsUGIXbiHmKYQYF1OkREjfamkk8kOieoNrnrCShfp5wJ+havs/Q5aQ4aPSjmtzx
rr2UlLAsyQ6P+5YkjPu+8CO+J87Cl+6tP5XpT4SXUNXqqXqV8r/Rh+dhwMiORth1
hAL2vpEeo4lxhSYvpZk4lmCmlILXtn/WKeevMmyremscXaq67Gfa/S/8xPP8/tXY
JLDsMd3EO4M4
=rxsX
-----END PGP SIGNATURE-----
pgpUmXtfocape.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
