//
sign in
Profile
by @danabra.mov
Profile
by @dansshadow.bsky.social
Profile
by @jimpick.com
AviHandle
by @danabra.mov
AviHandle
by @dansshadow.bsky.social
AviHandle
by @katherine.computer
EventsList
by @katherine.computer
ProfileHeader
by @dansshadow.bsky.social
ProfileHeader
by @danabra.mov
ProfileMedia
by @danabra.mov
ProfilePlays
by @danabra.mov
ProfilePosts
by @danabra.mov
ProfilePosts
by @dansshadow.bsky.social
ProfileReplies
by @danabra.mov
Record
by @atsui.org
Skircle
by @danabra.mov
StreamPlacePlaylist
by @katherine.computer
+ new component
ProfilePosts
Loading...
馃毃 High-severity security fix in undici (7.28.0, 8.5.0) just released! Patches CVE-2026-9697. undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent. github.com/nodejs/undic...
22h
## Impact undici's `ProxyAgent` silently drops the `requestTls` option when configured with a SOCKS5 proxy URI (`socks5://` or `socks://`). The target HTTPS connection through the SOCKS5 tunnel ...
github.com
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Ulises Gasc贸n
馃毃 High-severity security fix in undici (7.26.0, 8.2.0) just released! Patches CVE-2026-6734. undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse. github.com/nodejs/undic...
馃毃 Medium-severity security fix in undici (7.28.0, 8.5.0) just released! Patches CVE-2026-9678. undici vulnerable to cross-user information disclosure via shared cache whitespace bypass. github.com/nodejs/undic...
馃毃 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released! Patches CVE-2026-11525. undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching. github.com/nodejs/undic...
馃毃 High-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released! Patches CVE-2026-12151. undici WebSocket client vulnerable to denial of service via fragment count bypass. github.com/nodejs/undic...
馃毃 Medium-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released! Patches CVE-2026-9679. undici vulnerable to HTTP header injection via Set-Cookie percent-decoding. github.com/nodejs/undic...
馃毃 Medium-severity security fix in [email protected] just released! Patches CVE-2026-9595. webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies. github.com/webpack/webp...
馃敄 The latest issue of my #newsletter is live, issue 014. Covers Express's new look, the Node.js Collaborators Summit, the AI report flood (16 CVEs patched), and getting back into homelabbing 馃攼 blog.ulisesgascon.com/newsletter-i...
22h
23h
22h
22h
22h
3d
2d
馃毃 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released! Patches CVE-2026-6733. undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse. github.com/nodejs/undic...
馃毃 High-severity security fix in [email protected] just released! Patches CVE-2026-9675. undici WebSocket client vulnerable to denial of service via cumulative fragment bypass. github.com/nodejs/undic...
23h
22h
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
Ulises Gasc贸n
## Impact Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto...
github.com
## Impact The undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSoc...
github.com
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
undici WebSocket client vulnerable to denial of service via fragment count bypass
github.com
## Impact When using `Socks5ProxyAgent`, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are d...
## Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream `Cache-Control` header uses whitespace-padded qualified `private` or `no-cache` field na...
github.com
blog.ulisesgascon.com
It has been a while, so this is an extra-large update. Express got a full redesign and a new brand, the Node.js Collaborators Summit confronted an AI-driven flood of vulnerability reports, and a heavy...
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Newsletter #014: A Flood of Reports and a Fresh Coat of Paint 馃帹馃攼
### Impact When a user-configured proxy on `webpack-dev-server` has a broad context (e.g. `/`) and `ws: true`, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy ta...
github.com
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
## Impact The undici WebSocket client enforces `maxPayloadSize` per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream ma...
github.com
## Impact When undici parses a `Set-Cookie` header, it accepts any `SameSite` attribute value that contains `Strict`, `Lax`, or `None` as a substring, rather than the case-insensitive exact matc...
github.com
## Impact undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equi...
github.com
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding