[Security] Bump undici and discord.js
Bumps undici to 6.27.0 and updates ancestor dependency discord.js. These dependencies need to be updated together.
Updates undici from 5.29.0 to 6.27.0 This update includes security fixes.
Vulnerabilities fixed
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Impact
The
fetch()API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
Patches
Upgrade to 7.18.2 or 6.23.0.
Workarounds
It is possible to apply an undici interceptor and filter long
Content-Encodingsequences manually.References
- https://hackerone.com/reports/3456148
- https://github.com/advisories/GHSA-gm62-xv2j-4w53
- https://curl.se/docs/CVE-2022-32206.html
Patched versions: 6.23.0; 7.18.2 Affected versions: < 6.23.0; >= 7.0.0, < 7.18.2
Undici has an HTTP Request/Response Smuggling issue
Impact
Undici allows duplicate HTTP
Content-Lengthheaders when they are provided in an array with case-variant names (e.g.,Content-Lengthandcontent-length). This produces malformed HTTP/1.1 requests with multiple conflictingContent-Lengthvalues on the wire.Who is impacted:
- Applications using
undici.request(),undici.Client, or similar low-level APIs with headers passed as flat arrays- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate
Content-Lengthheaders (400 Bad Request)- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
If upgrading is not immediately possible:
... (truncated)
Patched versions: 7.24.0; 6.24.0 Affected versions: >= 7.0.0, < 7.24.0; < 6.24.0
Undici has CRLF Injection in undici via
upgradeoptionImpact
When an application passes user-controlled input to the
upgradeoption ofclient.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the
upgradevalue directly to the socket without validating for invalid header characters:// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
... (truncated)
Patched versions: 7.24.0; 6.24.0 Affected versions: >= 7.0.0, < 7.24.0; < 6.24.0
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
Impact
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the
server_max_window_bitsparameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-rangeserver_max_window_bitsvalue (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.The vulnerability exists because:
- The
isValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15- The
createInflateRaw()call is not wrapped in a try-catch block- The resulting exception propagates up through the call stack and crashes the Node.js process
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Patched versions: 7.24.0; 6.24.0 Affected versions: >= 7.0.0, < 7.24.0; < 6.24.0
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the
PerMessageDeflate.decompress()method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.Impact
- Remote denial of service against any Node.js application using undici's WebSocket client
- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
- No application-level mitigation is possible as decompression occurs before message delivery
Patches
Users should upgrade to fixed versions.
Workarounds
No workaround are possible.
Patched versions: 7.24.0; 6.24.0 Affected versions: >= 7.0.0, < 7.24.0; < 6.24.0
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Impact
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
Disable keep-alive connection reuse by setting
keepAliveTimeout: 0on the Client or Pool.Patched versions: 8.5.0; 7.28.0; 6.27.0 Affected versions: >= 8.0.0, < 8.5.0; >= 7.0.0, < 7.28.0; < 6.27.0
undici WebSocket client vulnerable to denial of service via fragment count bypass
Impact
The undici WebSocket client enforces
maxPayloadSizeon the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.Affected applications are those using the undici WebSocket client (
new WebSocket(...)) or theWebSocketStreamAPI that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.All releases starting at undici 6.17.0 are affected.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
No workaround is available. The fix must be applied through an upgrade.
Patched versions: 8.5.0; 7.28.0; 6.27.0 Affected versions: >= 8.0.0, < 8.5.0; >= 7.0.0, < 7.28.0; < 6.27.0
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact
undici's cookie parser in
parseSetCookiepercent-decodes cookie values viaqsUnescape, turning encoded sequences like%0D%0A,%00,%3B, and%3Dinto their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.Applications that parse a
Set-Cookieheader and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrarySet-Cookie,Location, orCache-Controlheaders into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.Affected applications are those that use undici's cookie parsing (
parseSetCookie,parseCookie,getSetCookies) and forward the parsed cookie value into a response header.This was introduced in undici 7.0.0 via #3789.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, do not forward values returned by
parseSetCookie/parseCookie/getSetCookiesdirectly into response headers; sanitize the value first to strip or reject CR, LF, NUL,;, and=bytes.Patched versions: 8.5.0; 7.28.0; 6.27.0 Affected versions: >= 8.0.0, < 8.5.0; >= 7.0.0, < 7.28.0; < 6.27.0
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Impact
When undici parses a
Set-Cookieheader, it accepts anySameSiteattribute value that containsStrict,Lax, orNoneas a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:
SameSite=NoneOfYourBusinessis parsed asNone, the most permissive setting.SameSite=StrictLaxis parsed asLax, a downgrade fromStrict.Affected applications are those that consume
Set-Cookieheaders from server responses (for example via undici'sfetchor proxy code paths) and then forward or rely on the parsedsameSiteattribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.This was introduced in undici 5.15.0 when the cookies feature was added.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
After parsing a
Set-Cookieheader, validate that the resultingsameSiteattribute is one of'Strict','Lax', or'None'(exact, case-insensitive) before forwarding or relying on it.Patched versions: 8.5.0; 7.28.0; 6.27.0 Affected versions: >= 8.0.0, < 8.5.0; >= 7.0.0, < 7.28.0; < 6.27.0
Release notes
Sourced from undici's releases.
v6.27.0
⚠️ Security ReleaseThis release line addresses 4 security advisories.
Action required: Upgrade to undici 6.27.0 or later.
npm install undici@^6.27.0Note on patched version: the v6 fixes shipped in v6.27.0, not
6.26.0—v6.26.0contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).
Summary
Advisory CVE Severity (CVSS) Fixed in Fix commit GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60
High severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix:
b7f252e7Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.
- Affected: applications using
new WebSocket(...)orWebSocketStreamagainst untrusted endpoints.- Workaround: none — upgrade is required.
Moderate severity
HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679
... (truncated)
Commits
551138cBumped v6.27.0 (#5431)b7f252eBackport WebSocket maxPayloadSize fixes to v7.x (#5423) (#5428)25efa44fix(cookies): preserve values and parse SameSite strictlyf4c31d6fix: guard idle socket validation to skip fresh sockets (#5400)768beacBumped v6.26.0 (#5323)7917b25fix: validate EOF for chunked h1 responses (#5308)3420499Bumped v6.25.0 (#5029)d7a1e55feat: add configurable maxPayloadSize for WebSocket (#4955)a9d1848Do not mark v6.x releases as latest0126586Ignore local agent configuration files- Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.
Install script changes
This version modifies prepare script that runs during installation. Review the package contents before updating.
Updates discord.js from 14.3.0 to 14.27.0
Release notes
Sourced from discord.js's releases.
14.27.0
Bug Fixes
- Update
clientReadyevent name references (#10632) (9592aea)- InteractionResponses: Optional parameter for update() (#10797) (fbda4fe)
- guide: Miscellaneous fixes (#11147) (c53c8c2)
- GuildChannel: Manageable perm check (#11166) (8b342a1)
- StageInstanceManager#create: Correctly resolve
guildScheduledEvent(#11540) (0aabb6c)- RoleManager: Allow null in RoleColorsResolvable to clear gradient colors (#11536) (221680d)
- GuildChannel: Handle empty overwrite must only handle
@everyone(#11221) (1e2fdf4)Documentation
- Attachment:
stringproperty (d646a13)- Fix close tags (#10756) (4349e10)
- Replace Discord API with Discord Developers (#10968) (538457c)
- Clarify wording for maximum values (#11231) (9ec73fa)
- Fix incorrect casing in the ready event deprecation (#11574) (0df0628)
- Fix typos and duplicated words in comments and guide (#11502) (63cd992)
Features
- Send voice messages (#11493) (fed811a)
- Guild: Add
maximumStageBitrate(#11313) (6d2cd99)- Proper authorizing integration owners structure (#11366) (b6db455)
- RoleManager: Add
fetchMemberCounts(#11352) (3b738ee)- Emit voiceServerUpdate event (#11414) (74a42bf)
- GuildMember: Add collectibles (#11468) (b0e6aff)
- Add shared client theme support (#11454) (16fd248)
- ClientApplication: Add fetchActivityInstance method (#11481) (24a0606)
Refactor
- Reorder imports (40b7a60)
Typings
- WebhookMessageCreateOptions: Omit
sharedClientTheme(b816b79)- Message: Specify
rawDataarg type (#11123) (c4531d4)- UserManager: Fix send() return type to Promise<Message> (#11337) (07c4127)
14.26.5
Bug Fixes
14.26.4
Bug Fixes
... (truncated)
Changelog
Sourced from discord.js's changelog.
14.27.0 - (2026-07-15)
Bug Fixes
- Update
clientReadyevent name references (#10632) (9592aea)- InteractionResponses: Optional parameter for update() (#10797) (fbda4fe)
- guide: Miscellaneous fixes (#11147) (c53c8c2)
- GuildChannel: Manageable perm check (#11166) (8b342a1)
- StageInstanceManager#create: Correctly resolve
guildScheduledEvent(#11540) (0aabb6c)- RoleManager: Allow null in RoleColorsResolvable to clear gradient colors (#11536) (221680d)
- GuildChannel: Handle empty overwrite must only handle
@everyone(#11221) (1e2fdf4)Documentation
- Attachment:
stringproperty (d646a13)- Fix close tags (#10756) (4349e10)
- Replace Discord API with Discord Developers (#10968) (538457c)
- Clarify wording for maximum values (#11231) (9ec73fa)
- Fix incorrect casing in the ready event deprecation (#11574) (0df0628)
- Fix typos and duplicated words in comments and guide (#11502) (63cd992)
Features
- Send voice messages (#11493) (fed811a)
- Guild: Add
maximumStageBitrate(#11313) (6d2cd99)- Proper authorizing integration owners structure (#11366) (b6db455)
- RoleManager: Add
fetchMemberCounts(#11352) (3b738ee)- Emit voiceServerUpdate event (#11414) (74a42bf)
- GuildMember: Add collectibles (#11468) (b0e6aff)
- Add shared client theme support (#11454) (16fd248)
- ClientApplication: Add fetchActivityInstance method (#11481) (24a0606)
Refactor
- Reorder imports (40b7a60)
Typings
- WebhookMessageCreateOptions: Omit
sharedClientTheme(b816b79)- Message: Specify
rawDataarg type (#11123) (c4531d4)- UserManager: Fix send() return type to Promise<Message> (#11337) (07c4127)
14.26.5 - (2026-07-10)
Bug Fixes
14.26.4 - (2026-05-01)
... (truncated)
Commits
c888a64chore(discord.js): release discord.js@14.27.0b816b79types(WebhookMessageCreateOptions): omitsharedClientTheme40b7a60refactor: reorder importsd646a13docs(Attachment):stringproperty9592aeafix: updateclientReadyevent name references (#10632)4349e10docs: Fix close tags (#10756)fbda4fefix(InteractionResponses): Optional parameter for update() (#10797)c53c8c2fix(guide): Miscellaneous fixes (#11147)538457cdocs: Replace Discord API with Discord Developers (#10968)be8300cchore: update readme badges (#11152)- Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by crawl, a new releaser for discord.js since your current version.
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts