Skip to content

[Security] Bump undici from 5.10.0 to 5.21.2

Dependabot requested to merge dependabot-npm_and_yarn-undici-5.21.2 into master

Bumps undici from 5.10.0 to 5.21.2. This update includes security fixes.

Vulnerabilities fixed

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

Credits

Carter Snook reported this vulnerability.

Patched versions: 5.19.1 Affected versions: < 5.19.1

CRLF Injection in Nodejs ‘undici’ via host

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1

Release notes

Sourced from undici's releases.

v5.21.2

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v5.21.1...v5.21.2

v5.21.1

What's Changed

New Contributors

Full Changelog: https://github.com/nodejs/undici/compare/v5.21.0...v5.21.1

v5.21.0

What's Changed

... (truncated)

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading