Skip to content

[Security] Bump undici from 5.28.3 to 5.28.4

Dependabot requested to merge dependabot-npm_and_yarn-undici-5.28.4 into master

Bumps undici from 5.28.3 to 5.28.4. This update includes security fixes.

Vulnerabilities fixed

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Patched versions: 5.28.4 Affected versions: < 5.28.4

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Patched versions: 5.28.4 Affected versions: < 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

Security Release

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4

Commits
  • fb98306 Bumped v5.28.4
  • 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
  • 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
  • 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
  • 0e9d54b skip failing test due to Node.js changes
  • See full diff in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading