Vulnerability-Lookup

RHSA-2026:22380

Vulnerability from csaf_redhat - Published: 2026-06-02 03:47 - Updated: 2026-06-19 13:47

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: nodejs26: * nodejs26-26.3.0-1.2.hum1 (aarch64, x86_64) * nodejs26-bin-26.3.0-1.2.hum1 (noarch) * nodejs26-devel-26.3.0-1.2.hum1 (aarch64, x86_64) * nodejs26-docs-26.3.0-1.2.hum1 (noarch) * nodejs26-full-i18n-26.3.0-1.2.hum1 (aarch64, x86_64) * nodejs26-libs-26.3.0-1.2.hum1 (aarch64, x86_64) * nodejs26-npm-11.16.0-1.26.3.0.1.2.hum1 (noarch) * nodejs26-npm-bin-26.3.0-1.2.hum1 (noarch) * v8-14.6-devel-14.6.202.34-1.26.3.0.1.2.hum1 (aarch64, x86_64) * nodejs26-26.3.0-1.2.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-6734

A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-940 - Improper Verification of Source of a Communication Channel

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-9678

A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-9697

A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js's default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-295 - Improper Certificate Validation

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-45149

A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64	—	Vendor Fix fix

Threats

Impact Moderate

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:22380	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-45149	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-9697	external
https://access.redhat.com/security/cve/CVE-2026-6734	external
https://access.redhat.com/security/cve/CVE-2026-9675	external
https://access.redhat.com/security/cve/CVE-2026-9678	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-6734	self
https://bugzilla.redhat.com/show_bug.cgi?id=2490024	external
https://www.cve.org/CVERecord?id=CVE-2026-6734	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6734	external
https://cna.openjsf.org/security-advisories.html	external
https://github.com/nodejs/undici/security/advisor…	external
https://access.redhat.com/security/cve/CVE-2026-9678	self
https://bugzilla.redhat.com/show_bug.cgi?id=2490000	external
https://www.cve.org/CVERecord?id=CVE-2026-9678	external
https://nvd.nist.gov/vuln/detail/CVE-2026-9678	external
https://github.com/nodejs/undici/security/advisor…	external
https://access.redhat.com/security/cve/CVE-2026-9697	self
https://bugzilla.redhat.com/show_bug.cgi?id=2490018	external
https://www.cve.org/CVERecord?id=CVE-2026-9697	external
https://nvd.nist.gov/vuln/detail/CVE-2026-9697	external
https://github.com/nodejs/undici/security/advisor…	external
https://access.redhat.com/security/cve/CVE-2026-45149	self
https://bugzilla.redhat.com/show_bug.cgi?id=2483481	external
https://www.cve.org/CVERecord?id=CVE-2026-45149	external
https://nvd.nist.gov/vuln/detail/CVE-2026-45149	external
https://github.com/juliangruber/brace-expansion/s…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nnodejs26:\n  * nodejs26-26.3.0-1.2.hum1 (aarch64, x86_64)\n  * nodejs26-bin-26.3.0-1.2.hum1 (noarch)\n  * nodejs26-devel-26.3.0-1.2.hum1 (aarch64, x86_64)\n  * nodejs26-docs-26.3.0-1.2.hum1 (noarch)\n  * nodejs26-full-i18n-26.3.0-1.2.hum1 (aarch64, x86_64)\n  * nodejs26-libs-26.3.0-1.2.hum1 (aarch64, x86_64)\n  * nodejs26-npm-11.16.0-1.26.3.0.1.2.hum1 (noarch)\n  * nodejs26-npm-bin-26.3.0-1.2.hum1 (noarch)\n  * v8-14.6-devel-14.6.202.34-1.26.3.0.1.2.hum1 (aarch64, x86_64)\n  * nodejs26-26.3.0-1.2.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:22380",
        "url": "https://access.redhat.com/errata/RHSA-2026:22380"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-45149",
        "url": "https://access.redhat.com/security/cve/CVE-2026-45149"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9697",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9697"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6734",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6734"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9675",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9675"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9678",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9678"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_22380.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-19T13:47:09+00:00",
      "generator": {
        "date": "2026-06-19T13:47:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:22380",
      "initial_release_date": "2026-06-02T03:47:28+00:00",
      "revision_history": [
        {
          "date": "2026-06-02T03:47:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-18T11:12:55+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-19T13:47:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@aarch64",
                "product": {
                  "name": "nodejs26-main@aarch64",
                  "product_id": "nodejs26-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.3.0-1.2.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@src",
                "product": {
                  "name": "nodejs26-main@src",
                  "product_id": "nodejs26-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.3.0-1.2.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@x86_64",
                "product": {
                  "name": "nodejs26-main@x86_64",
                  "product_id": "nodejs26-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.3.0-1.2.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@noarch",
                "product": {
                  "name": "nodejs26-main@noarch",
                  "product_id": "nodejs26-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26-bin@26.3.0-1.2.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@aarch64"
        },
        "product_reference": "nodejs26-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@noarch"
        },
        "product_reference": "nodejs26-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@src"
        },
        "product_reference": "nodejs26-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@x86_64"
        },
        "product_reference": "nodejs26-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6734",
      "cwe": {
        "id": "CWE-940",
        "name": "Improper Verification of Source of a Communication Channel"
      },
      "discovery_date": "2026-06-17T19:04:00.272340+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490024"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is rated as an Important security flaw. The `undici` library, when configured with `Socks5ProxyAgent` to handle requests for multiple origins, incorrectly reuses connection pools. This can lead to sensitive data and credentials being misrouted to unintended destinations, potentially downgrading HTTPS connections to HTTP and compromising data integrity and confidentiality. Red Hat products utilizing `undici` with `Socks5ProxyAgent` in multi-origin scenarios are affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6734"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490024",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6734",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6734"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj"
        }
      ],
      "release_date": "2026-06-17T16:36:55.439000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T03:47:28+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22380"
        },
        {
          "category": "workaround",
          "details": "The single most impactful mitigation is applying network egress controls to restrict which external destinations affected applications can reach. Because the vulnerability causes requests to be misrouted to wrong origins, limiting the set of reachable origins directly reduces the attack surface. These controls collectively limit the blast radius of the connection pool misrouting \u2014 the attacker must compromise one of the explicitly allowed destinations rather than any arbitrary origin \u2014 but they do not fix the underlying logic bug.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing"
    },
    {
      "cve": "CVE-2026-9678",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2026-06-17T19:01:33.359372+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490000"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: Undici: Information disclosure due to improper cache-control header parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Moderate information disclosure flaw in Undici\u0027s cache interceptor, when configured in shared-cache mode, allows an unauthenticated attacker to retrieve sensitive authenticated user data. This is due to incorrect parsing of Cache-Control headers containing whitespace-padded field names, leading to cached responses being served improperly. Red Hat products are affected if they explicitly enable shared-cache mode, forward Authorization headers, and process non-canonical Cache-Control directives.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9678"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490000",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9678",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9678"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
        }
      ],
      "release_date": "2026-06-17T17:04:09.680000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T03:47:28+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22380"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "undici: Undici: Information disclosure due to improper cache-control header parsing"
    },
    {
      "cve": "CVE-2026-9697",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "discovery_date": "2026-06-17T19:03:30.813843+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490018"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. When undici\u0027s ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js\u0027s default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important vulnerability. Applications using `undici`\u0027s `ProxyAgent` with a SOCKS5 proxy URI will silently ignore user-configured TLS options, including custom Certificate Authorities. This bypasses intended security controls for HTTPS communication, enabling a remote attacker to perform Man-in-the-Middle attacks, potentially leading to information disclosure or arbitrary code execution in affected Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9697"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490018",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9697",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9697"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
        }
      ],
      "release_date": "2026-06-17T16:46:42.706000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T03:47:28+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22380"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy"
    },
    {
      "cve": "CVE-2026-45149",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-05-29T21:02:00.092772+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2483481"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-45149"
        },
        {
          "category": "external",
          "summary": "RHBZ#2483481",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483481"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-45149",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45149"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
        },
        {
          "category": "external",
          "summary": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2",
          "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
        }
      ],
      "release_date": "2026-05-29T19:55:07.337000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T03:47:28+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22380"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges"
    }
  ]
}

CVE-2026-45149 (GCVE-0-2026-45149)

Vulnerability from cvelistv5 – Published: 2026-05-29 19:55 – Updated: 2026-06-01 16:44

Title

brace-expansion: Large numeric range defeats documented `max` DoS protection

Summary

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/juliangruber/brace-expansion/s…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
juliangruber	brace-expansion	Affected: >= 5.0.0, < 5.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-01T16:42:12.730782Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-01T16:44:23.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "brace-expansion",
          "vendor": "juliangruber",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T19:55:07.337Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
        }
      ],
      "source": {
        "advisory": "GHSA-jxxr-4gwj-5jf2",
        "discovery": "UNKNOWN"
      },
      "title": "brace-expansion: Large numeric range defeats documented `max` DoS protection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45149",
    "datePublished": "2026-05-29T19:55:07.337Z",
    "dateReserved": "2026-05-08T20:44:38.964Z",
    "dateUpdated": "2026-06-01T16:44:23.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6734 (GCVE-0-2026-6734)

Vulnerability from cvelistv5 – Published: 2026-06-17 16:36 – Updated: 2026-06-17 18:26

Title

undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

Summary

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-346 - Origin Validation Error

Assigner

openjs

References

2 references

URL	Tags
https://github.com/nodejs/undici/security/advisor…
https://cna.openjsf.org/security-advisories.html

Impacted products

1 product

Vendor	Product	Version
undici	undici	Affected: 7.23.0 , < 7.26.0 (semver) Unaffected: 7.26.0 (semver) Affected: 8.0.0 , < 8.2.0 (semver) Unaffected: 8.2.0 (semver)

Credits

ChALkeR mcollina UlisesGascon deepview-autofix

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:26:41.848641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:26:51.736Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/undici",
          "product": "undici",
          "vendor": "undici",
          "versions": [
            {
              "lessThan": "7.26.0",
              "status": "affected",
              "version": "7.23.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.26.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.2.0",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ChALkeR"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "mcollina"
        },
        {
          "lang": "en",
          "type": "remediation verifier",
          "value": "UlisesGascon"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "deepview-autofix"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\nWhen using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool\u0027s origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.\n\nThis causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.\n\nImpacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.\n\nThis was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.\n\nPatches:\nUpgrade to undici v7.26.0 or v8.2.0.\n\nWorkarounds:\nUse a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins."
            }
          ],
          "value": "Impact:\nWhen using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool\u0027s origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.\n\nThis causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.\n\nImpacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.\n\nThis was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.\n\nPatches:\nUpgrade to undici v7.26.0 or v8.2.0.\n\nWorkarounds:\nUse a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T16:36:55.439Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-6734",
    "datePublished": "2026-06-17T16:36:55.439Z",
    "dateReserved": "2026-04-20T22:57:40.878Z",
    "dateUpdated": "2026-06-17T18:26:51.736Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9678 (GCVE-0-2026-9678)

Vulnerability from cvelistv5 – Published: 2026-06-17 17:04 – Updated: 2026-06-17 18:05

Title

undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

Summary

Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored. In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.

Severity

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-524 - Use of Cache Containing Sensitive Information

Assigner

openjs

References

2 references

URL	Tags
https://github.com/nodejs/undici/security/advisor…
https://cna.openjsf.org/security-advisories.html

Impacted products

1 product

Vendor	Product	Version
undici	undici	Affected: 7.0.0 , < 7.28.0 (semver) Unaffected: 7.28.0 (semver) Affected: 8.0.0 , < 8.5.0 (semver) Unaffected: 8.5.0 (semver)

Credits

mcollina UlisesGascon AndrewMohawk

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9678",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:05:24.378630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:05:30.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/undici",
          "product": "undici",
          "vendor": "undici",
          "versions": [
            {
              "lessThan": "7.28.0",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.28.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "mcollina"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "AndrewMohawk"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."
            }
          ],
          "value": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T17:04:09.680Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "undici vulnerable to cross-user information disclosure via shared cache whitespace bypass",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-9678",
    "datePublished": "2026-06-17T17:04:09.680Z",
    "dateReserved": "2026-05-27T08:05:04.453Z",
    "dateUpdated": "2026-06-17T18:05:30.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9697 (GCVE-0-2026-9697)

Vulnerability from cvelistv5 – Published: 2026-06-17 16:46 – Updated: 2026-06-17 18:34

Title

undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

Summary

Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

openjs

References

2 references

URL	Tags
https://github.com/nodejs/undici/security/advisor…
https://cna.openjsf.org/security-advisories.html

Impacted products

1 product

Vendor	Product	Version
undici	undici	Affected: 7.23.0 , < 7.28.0 (semver) Unaffected: 7.28.0 (semver) Affected: 8.0.0 , < 8.5.0 (semver) Unaffected: 8.5.0 (semver)

Credits

tonghuaroot UlisesGascon

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9697",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:34:18.472294Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:34:54.144Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/undici",
          "product": "undici",
          "vendor": "undici",
          "versions": [
            {
              "lessThan": "7.28.0",
              "status": "affected",
              "version": "7.23.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.28.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "tonghuaroot"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\nundici\u0027s ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node\u0027s default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici\u0027s ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly."
            }
          ],
          "value": "Impact:\nundici\u0027s ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node\u0027s default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici\u0027s ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T16:46:42.706Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-9697",
    "datePublished": "2026-06-17T16:46:42.706Z",
    "dateReserved": "2026-05-27T12:02:46.825Z",
    "dateUpdated": "2026-06-17T18:34:54.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:22380

CVE-2026-45149 (GCVE-0-2026-45149)

CVE-2026-6734 (GCVE-0-2026-6734)

CVE-2026-9678 (GCVE-0-2026-9678)

CVE-2026-9697 (GCVE-0-2026-9697)

Tags

Sightings

Nomenclature