Skip to content

chore(deps): update dependency undici to v7.24.0 [security]#4040

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability
Open

chore(deps): update dependency undici to v7.24.0 [security]#4040
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
undici (source) 7.16.07.24.0 age confidence

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

CVE-2026-1528 / GHSA-f269-vfmq-vjvj

More information

Details

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential consequences:

  • Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  • HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

  1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
  2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
  3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nodejs/undici (undici)

v7.24.0

Compare Source

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories
Affected and patched ranges
References

v7.23.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.22.0...v7.23.0

v7.22.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.19.1...v7.19.2

v7.19.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.19.0...v7.19.1

v7.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.18.2...v7.19.0

v7.18.2

Compare Source

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

What's Changed

  • fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in #​4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.16.0...v7.17.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner January 14, 2026 22:14
@renovate renovate Bot requested review from NoritakaIkeda, junkisai and sasamuku and removed request for a team January 14, 2026 22:14
@vercel

vercel Bot commented Jan 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
liam-app Ready Ready Preview, Comment Jul 12, 2026 1:17pm
liam-assets Ready Ready Preview Jul 12, 2026 1:17pm
liam-docs Ready Ready Preview, Comment Jul 12, 2026 1:17pm
liam-erd-sample Ready Ready Preview Jul 12, 2026 1:17pm
liam-storybook Ready Ready Preview, Comment Jul 12, 2026 1:17pm

Request Review

@giselles-ai

giselles-ai Bot commented Jan 14, 2026

Copy link
Copy Markdown

Finished running flow.

Step 1
🟢
On Pull Request OpenedStatus: Success Updated: Jan 14, 2026 10:14pm
Step 2
🟢
gpt-5Status: Success Updated: Jan 14, 2026 10:16pm
Step 3
🟢
Create Pull Request CommentStatus: Success Updated: Jan 14, 2026 10:16pm

@coderabbitai

coderabbitai Bot commented Jan 14, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


Comment @coderabbitai help to get the list of available commands and usage tips.

@giselles-ai

giselles-ai Bot commented Jan 14, 2026

Copy link
Copy Markdown

Check changeset necessity

Status: NOT REQUIRED

Reason:

  • Only the root pnpm overrides and lockfile were updated to pin undici from 7.16.0 to 7.18.2; no package code or manifests for target packages (@liam-hq/cli, @liam-hq/erd-core, @liam-hq/schema, @liam-hq/ui) were changed.
  • This is a dependency bump for security hardening with no user-facing feature, API, or behavior changes in our published packages.
  • Lockfile and tooling/override adjustments do not affect consumers directly and are considered non-user-facing per the guide.

Changeset (copy & paste):

# No changeset required for this PR (dependency override/lockfile only).

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional flags.

Open in Devin Review

@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 8abb6ed to 3dd1870 Compare April 29, 2026 19:06
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 3dd1870 to e0ed5e7 Compare May 12, 2026 10:55
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from e0ed5e7 to 42592b7 Compare May 28, 2026 17:42
@renovate renovate Bot changed the title Update dependency undici to v7.24.0 [SECURITY] chore(deps): update dependency undici to v7.24.0 [security] Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 42592b7 to d0e4ef1 Compare July 12, 2026 13:12
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

pnpm-lock.yaml

NameVersionVulnerabilitySeverity
undici7.24.0undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgenthigh
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reusehigh
undici WebSocket client vulnerable to denial of service via fragment count bypasshigh
undici vulnerable to cross-user information disclosure via shared cache whitespace bypassmoderate
undici vulnerable to HTTP header injection via Set-Cookie percent-decodingmoderate
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuselow
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matchinglow

OpenSSF Scorecard

PackageVersionScoreDetails
npm/undici 7.24.0 🟢 8.2
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 8binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 73 existing vulnerabilities detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging🟢 10packaging workflow detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 76 contributing companies or organizations

Scanned Files

  • pnpm-lock.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants