chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici@>=5.0.0 (source)	^5.28.5 → ^5.29.0

---

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

CVE-2026-22036 / GHSA-g9mf-h72j-4rw9

More information

Details

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

• https://hackerone.com/reports/3456148
• GHSA-gm62-xv2j-4w53
• https://curl.se/docs/CVE-2022-32206.html

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
• https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
• https://nvd.nist.gov/vuln/detail/CVE-2026-22036
• https://github.com/advisories/GHSA-g9mf-h72j-4rw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

• Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
• Applications that accept user-controlled header names without case-normalization

Potential consequences:

• Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
• HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
• https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• https://hackerone.com/reports/3556037
• https://cna.openjsf.org/security-advisories.html
• https://cwe.mitre.org/data/definitions/444.html
• https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6
• https://github.com/advisories/GHSA-2mjp-6q6p-2qxm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8

More information

Details

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
2. The createInflateRaw() call is not wrapped in a try-catch block
3. The resulting exception propagates up through the call stack and crashes the Node.js process

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
• https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• https://hackerone.com/reports/3487486
• https://cna.openjsf.org/security-advisories.html
• https://datatracker.ietf.org/doc/html/rfc7692
• https://nodejs.org/api/zlib.html#class-zlibinflateraw
• https://github.com/advisories/GHSA-v9p9-hfj2-hcw8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
• https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• https://hackerone.com/reports/3487198
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-4992-7rv2-5pvq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

More information

Details

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact

• Remote denial of service against any Node.js application using undici's WebSocket client
• A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
• Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
• No application-level mitigation is possible as decompression occurs before message delivery

Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
• https://nvd.nist.gov/vuln/detail/CVE-2026-1526
• https://hackerone.com/reports/3481206
• https://cna.openjsf.org/security-advisories.html
• https://datatracker.ietf.org/doc/html/rfc7692
• https://owasp.org/www-community/attacks/Denial_of_Service
• https://github.com/advisories/GHSA-vrm6-8vpv-qv8q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodejs/undici (undici@>=5.0.0)

v5.29.0

Compare Source

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in #​4104
• Removed clients with unrecoverable errors from the Pool #​4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	5e3e842
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69f7a3d4a6daed00086cfa55

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 44.60
• Iterations/s: 14.86
• Failed Requests: 0.00% (0 of 2683)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 968 kB 16 kB/s
     data_sent......................: 2.1 MB 34 kB/s
     http_req_blocked...............: avg=6.65µs  min=1.99µs   med=5.44µs   max=954.81µs p(90)=6.55µs   p(95)=7.3µs   
     http_req_connecting............: avg=784ns   min=0s       med=0s       max=905.04µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=89.04ms min=8.2ms    med=72.45ms  max=460.65ms p(90)=156.6ms  p(95)=182.31ms
       { expected_response:true }...: avg=89.04ms min=8.2ms    med=72.45ms  max=460.65ms p(90)=156.6ms  p(95)=182.31ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2683
     http_req_receiving.............: avg=97.14µs min=22.83µs  med=85.91µs  max=2.47ms   p(90)=120.27µs p(95)=148.46µs
     http_req_sending...............: avg=33.69µs min=9.8µs    med=29.23µs  max=1.17ms   p(90)=40.23µs  p(95)=51.93µs 
     http_req_tls_handshaking.......: avg=0s      min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=88.91ms min=7.98ms   med=72.38ms  max=460.58ms p(90)=156.46ms p(95)=182.21ms
     http_reqs......................: 2683   44.60364/s
     iteration_duration.............: avg=268.9ms min=149.68ms med=255.97ms max=827.24ms p(90)=331.64ms p(95)=372.72ms
     iterations.....................: 894    14.862338/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4