⚠️ Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the following issues.
More information here: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
🚨 Medium-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!
Patches CVE-2026-9679. undici vulnerable to HTTP header injection via Set-Cookie percent-decoding.
github.com/nodejs/undic...
🚨 High-severity security fix in [email protected] just released!
Patches CVE-2026-9675. undici WebSocket client vulnerable to denial of service via cumulative fragment bypass.
github.com/nodejs/undic...
🚨 Medium-severity security fix in undici (7.28.0, 8.5.0) just released!
Patches CVE-2026-9678. undici vulnerable to cross-user information disclosure via shared cache whitespace bypass.
github.com/nodejs/undic...
🚨 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!
Patches CVE-2026-11525. undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching.
github.com/nodejs/undic...
🚨 High-severity security fix in undici (7.28.0, 8.5.0) just released!
Patches CVE-2026-9697. undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent.
github.com/nodejs/undic...
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
🚨 High-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!
Patches CVE-2026-12151. undici WebSocket client vulnerable to denial of service via fragment count bypass.
github.com/nodejs/undic...
🚨 High-severity security fix in undici (7.26.0, 8.2.0) just released!
Patches CVE-2026-6734. undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse.
github.com/nodejs/undic...
🚨 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!
Patches CVE-2026-6733. undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse.
github.com/nodejs/undic...
🔖 The latest issue of my #newsletter is live, issue 014.
Covers Express's new look, the Node.js Collaborators Summit, the AI report flood (16 CVEs patched), and getting back into homelabbing 🔐
blog.ulisesgascon.com/newsletter-i...
Node.js
## Impact
undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equi...
## Impact
The undici WebSocket client enforces `maxPayloadSize` per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream ma...
## Impact
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream `Cache-Control` header uses whitespace-padded qualified `private` or `no-cache` field na...
## Impact
undici's `ProxyAgent` silently drops the `requestTls` option when configured with a SOCKS5 proxy URI (`socks5://` or `socks://`). The target HTTPS connection through the SOCKS5 tunnel ...
## Impact
When undici parses a `Set-Cookie` header, it accepts any `SameSite` attribute value that contains `Strict`, `Lax`, or `None` as a substring, rather than the case-insensitive exact matc...
github.com
## Impact
The undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSoc...
## Impact
When using `Socks5ProxyAgent`, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are d...
## Impact
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto...
It has been a while, so this is an extra-large update. Express got a full redesign and a new brand, the Node.js Collaborators Summit confronted an AI-driven flood of vulnerability reports, and a heavy...
