node-undici - Debian Package Tracker

general

source: node-undici (main)
version: 7.16.0+dfsg+~cs3.2.0-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Yadd [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
old-sec: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3
stable: 7.3.0+dfsg1+~cs24.12.11-1
testing: 7.16.0+dfsg+~cs3.2.0-2
unstable: 7.16.0+dfsg+~cs3.2.0-2

versioned links

5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg1+~cs24.12.11-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.16.0+dfsg+~cs3.2.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-undici

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-05-16 Last update: 2025-10-12 05:31

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-08-09 Last update: 2025-10-12 05:31

debian/patches: 1 patch with invalid metadata high

Among the 2 debian patches available in version 7.16.0+dfsg+~cs3.2.0-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.

Created: 2025-10-10 Last update: 2025-10-10 08:03

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 79fd0697e45501c49eba5b50f8eef93340517d84
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu Oct 16 14:22:29 2025 +0200

    Switch to watch 5

Created: 2025-10-16 Last update: 2025-10-16 13:31

lintian reports 13 warnings normal

Lintian reports 13 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-10-10 Last update: 2025-10-10 06:32

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-23167: (needs triaging) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: (needs triaging) Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-16 Last update: 2025-10-12 05:31

6 low-priority security issues in bookworm low

There are 6 open security issues in bookworm.

6 issues left for the package maintainer to handle:

CVE-2024-24758: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-30260: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-30261: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2025-22150: (needs triaging) Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23167: (needs triaging) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: (needs triaging) Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-19 Last update: 2025-10-12 05:31

news

[rss feed]

[2025-10-12] node-undici 7.16.0+dfsg+~cs3.2.0-2 MIGRATED to testing (Debian testing watch)
[2025-10-09] Accepted node-undici 7.16.0+dfsg+~cs3.2.0-2 (source) into unstable (Jérémy Lal)
[2025-10-07] Accepted node-undici 7.16.0+dfsg+~cs3.2.0-1 (source) into unstable (Jérémy Lal)
[2025-09-20] Accepted node-undici 7.15.0+dfsg+~cs3.2.0-3 (source) into unstable (Jérémy Lal)
[2025-08-30] Accepted node-undici 7.15.0+dfsg+~cs3.2.0-1 (source) into unstable (Jérémy Lal)
[2025-08-17] node-undici 7.3.0+dfsg1+~cs24.12.11-2 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-02-02] node-undici 7.3.0+dfsg1+~cs24.12.11-1 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-1 (source) into unstable (Jérémy Lal)
[2025-01-25] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-2 (source) into experimental (Jérémy Lal)
[2025-01-22] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-12-10] Accepted node-undici 7.1.0+dfsg1+~cs24.12.10-1 (source) into experimental (Jérémy Lal)
[2024-06-16] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-04-15] node-undici 5.28.4+dfsg1+~cs23.12.11-2 MIGRATED to testing (Debian testing watch)
[2024-04-12] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-2 (source) into unstable (Jérémy Lal)
[2024-04-05] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-24] node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 MIGRATED to testing (Debian testing watch)
[2024-01-22] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-21] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-4 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-27] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into stable-security (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-05] node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 MIGRATED to testing (Debian testing watch)
[2023-12-03] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-2 (source all) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-29] node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 MIGRATED to testing (Debian testing watch)
[2023-11-27] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-26] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 4 5
RC: 0
I&N: 4 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 13)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci