node-undici - Debian Package Tracker

general

source: node-undici (main)
version: 7.15.0+dfsg+~cs3.2.0-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Yadd [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
old-sec: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3
stable: 7.3.0+dfsg1+~cs24.12.11-1
testing: 7.3.0+dfsg1+~cs24.12.11-2
unstable: 7.15.0+dfsg+~cs3.2.0-1

versioned links

5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg1+~cs24.12.11-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg1+~cs24.12.11-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.15.0+dfsg+~cs3.2.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-undici

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:01:43
Last run: 2025-08-31T10:33:08.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:05:38
Last run: 2025-08-28T04:49:07.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:03:33
Last run: 2025-08-19T19:30:56.000Z
Previous status: unknown

Created: 2025-08-31 Last update: 2025-09-11 12:04

A new upstream version is available: 7.16.0+~cs3.2.0 high

A new upstream version 7.16.0+~cs3.2.0 is available, you should consider packaging it.

Created: 2025-09-11 Last update: 2025-09-11 08:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-05-16 Last update: 2025-08-30 03:56

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-08-09 Last update: 2025-08-30 03:56

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-09-11 13:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2025-09-04 Last update: 2025-09-11 12:02

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-08-30 Last update: 2025-08-30 09:03

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-23167: (needs triaging) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: (needs triaging) Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-16 Last update: 2025-08-30 03:56

6 low-priority security issues in bookworm low

There are 6 open security issues in bookworm.

6 issues left for the package maintainer to handle:

CVE-2024-24758: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-30260: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-30261: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2025-22150: (needs triaging) Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23167: (needs triaging) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: (needs triaging) Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-19 Last update: 2025-08-30 03:56

testing migrations

excuses:
- Migrates after: llhttp
- Migration status for node-undici (7.3.0+dfsg1+~cs24.12.11-2 to 7.15.0+dfsg+~cs3.2.0-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ autopkgtest for node-undici/7.15.0+dfsg+~cs3.2.0-1: amd64: Pass, arm64: Pass, i386: Regression ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ autopkgtest for nodejs/20.19.2+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Failed (not a regression) ♻ (reference ♻)
- ∙ ∙ Build-Depends(-Arch): node-undici llhttp (not considered)
- ∙ ∙ Depends: node-undici llhttp (not considered)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-undici.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ 12 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-08-30] Accepted node-undici 7.15.0+dfsg+~cs3.2.0-1 (source) into unstable (Jérémy Lal)
[2025-08-17] node-undici 7.3.0+dfsg1+~cs24.12.11-2 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-02-02] node-undici 7.3.0+dfsg1+~cs24.12.11-1 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-1 (source) into unstable (Jérémy Lal)
[2025-01-25] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-2 (source) into experimental (Jérémy Lal)
[2025-01-22] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-12-10] Accepted node-undici 7.1.0+dfsg1+~cs24.12.10-1 (source) into experimental (Jérémy Lal)
[2024-06-16] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-04-15] node-undici 5.28.4+dfsg1+~cs23.12.11-2 MIGRATED to testing (Debian testing watch)
[2024-04-12] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-2 (source) into unstable (Jérémy Lal)
[2024-04-05] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-24] node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 MIGRATED to testing (Debian testing watch)
[2024-01-22] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-21] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-4 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-27] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into stable-security (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-05] node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 MIGRATED to testing (Debian testing watch)
[2023-12-03] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-2 (source all) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-29] node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 MIGRATED to testing (Debian testing watch)
[2023-11-27] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-26] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-23] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-16] node-undici 5.26.3+dfsg1+~cs23.10.12-2 MIGRATED to testing (Debian testing watch)
[2023-10-14] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-13] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 5 6
RC: 1
I&N: 4 5
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (0, 4)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.3.0+dfsg1+~cs24.12.11-2