Commit ee6b102
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Upgrade: [dependabot] - bump undici from 5.29.0 to 7.24.1 (#139)
Bumps [undici](https://github.com/nodejs/undici) from 5.29.0 to 7.24.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v7.24.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: <strong>proto</strong> pollution by <a
href="https://github.com/rahulyadav5524"><code>@rahulyadav5524</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p>
<h2>v7.24.0</h2>
<h1>Undici v7.24.0 Security Release Notes</h1>
<p>This release addresses multiple security vulnerabilities in
Undici.</p>
<h2>Upgrade guidance</h2>
<p>All users on v7 should upgrade to <strong>v7.24.0</strong> or
later.</p>
<h2>Fixed advisories</h2>
<ul>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm">GHSA-2mjp-6q6p-2qxm</a>
/ CVE-2026-1525 (Medium)<br />
Inconsistent interpretation of HTTP requests (request/response smuggling
class issue).</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj">GHSA-f269-vfmq-vjvj</a>
/ CVE-2026-1528 (High)<br />
Malicious WebSocket 64-bit frame length handling could crash the
client.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h">GHSA-phc3-fgpg-7m6h</a>
/ CVE-2026-2581 (Medium)<br />
Unbounded memory consumption in deduplication interceptor response
buffering (DoS risk).</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq">GHSA-4992-7rv2-5pvq</a>
/ CVE-2026-1527 (Medium)<br />
CRLF injection via the <code>upgrade</code> option.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8">GHSA-v9p9-hfj2-hcw8</a>
/ CVE-2026-2229 (High)<br />
Unhandled exception from invalid <code>server_max_window_bits</code> in
WebSocket permessage-deflate negotiation.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q">GHSA-vrm6-8vpv-qv8q</a>
/ CVE-2026-1526 (High)<br />
Unbounded memory consumption in WebSocket permessage-deflate
decompression.</p>
</li>
</ul>
<h2>Affected and patched ranges</h2>
<ul>
<li>CVE-2026-1525: affected <code>7.0.0 < 7.24.0</code>, patched
<code>7.24.0</code></li>
<li>CVE-2026-1528: affected <code>7.0.0 < 7.24.0</code>, patched
<code>7.24.0</code></li>
<li>CVE-2026-2581: affected <code>>= 7.17.0 < 7.24.0</code>,
patched <code>7.24.0</code></li>
<li>CVE-2026-1527: affected <code>7.0.0 < 7.24.0</code>, patched
<code>7.24.0</code></li>
<li>CVE-2026-2229: affected <code>7.0.0 < 7.24.0</code>, patched
<code>7.24.0</code></li>
<li>CVE-2026-1526: affected <code>7.0.0 < 7.24.0</code>, patched
<code>7.24.0</code></li>
</ul>
<h2>References</h2>
<ul>
<li>GitHub Security Advisories: <a
href="https://github.com/nodejs/undici/security/advisories">https://github.com/nodejs/undici/security/advisories</a></li>
<li>NVD CVE-2026-1525: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1525">https://nvd.nist.gov/vuln/detail/CVE-2026-1525</a></li>
<li>NVD CVE-2026-1528: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1528">https://nvd.nist.gov/vuln/detail/CVE-2026-1528</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/23e3cd362ba6beb3988e6a9a63000336dd219591"><code>23e3cd3</code></a>
Bumped v7.24.1</li>
<li><a
href="https://github.com/nodejs/undici/commit/3aedaa8d5f701da767616df2dced7d4daa7c1566"><code>3aedaa8</code></a>
remove PLAN.md</li>
<li><a
href="https://github.com/nodejs/undici/commit/0d7ec33ff37563d3e7c98d11d7bca736f330d156"><code>0d7ec33</code></a>
fix: <strong>proto</strong> pollution (<a
href="https://redirect.github.com/nodejs/undici/issues/4885">#4885</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/07a39067a0485c1953196f500d945fe09378a176"><code>07a3906</code></a>
Bumped v7.24.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/4887">#4887</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/74495c63ab23ef39be99983ed6de81df5d203d45"><code>74495c6</code></a>
fix: reject duplicate content-length and host headers</li>
<li><a
href="https://github.com/nodejs/undici/commit/84235c62e0fe7494cec13f81d5732db0859df417"><code>84235c6</code></a>
Fix websocket 64-bit length overflow</li>
<li><a
href="https://github.com/nodejs/undici/commit/77594f923cef4c27ee0bad365e7b4c44a199edae"><code>77594f9</code></a>
fix: validate upgrade header to prevent CRLF injection</li>
<li><a
href="https://github.com/nodejs/undici/commit/cb79c5704ac47e42ce01a72269994fc70e377536"><code>cb79c57</code></a>
fix: validate server_max_window_bits range in permessage-deflate</li>
<li><a
href="https://github.com/nodejs/undici/commit/4147ce21277b3566d02d3be789e5f7a490089db2"><code>4147ce2</code></a>
Merge commit '2ee00cb3'</li>
<li><a
href="https://github.com/nodejs/undici/commit/2ee00cb322c76b0bf56829462d7c1dc53d1cbe3d"><code>2ee00cb</code></a>
fix(websocket): add maxDecompressedMessageSize limit for
permessage-deflate</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v5.29.0...v7.24.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for undici since your current version.</p>
</details>
<details>
<summary>Install script changes</summary>
<p>This version modifies <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent bda627e commit ee6b102
1 file changed
Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments