All errata/c10f2/ALT-PU-2025-2017-6
ALT-PU-2025-2017-6

Package update node in branch c10f2

Version16.20.3-alt1
Task#371827
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (14)

BDU:2023-07356
LOW3.5

Уязвимость клиента HTTP/1.1 undici программной платформы Node.js, позволяющая нарушителю раскрыть защищаемую информацию

Published: 2023-11-01Modified: 2024-09-23
CVSS 3.xLOW 3.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2024-02689
MEDIUM5.3

Уязвимость функции node::http2::Http2Session::~Http2Session() HTTP/2-сервера программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-04-06Modified: 2026-03-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2024-02798
HIGH7.5

Уязвимость HTTP-сервера программной платформы Node.js, позволяющая нарушителю обойти ограничения безопасности и вызвать отказ в обслуживании

Published: 2024-04-10Modified: 2026-03-04
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-02800
LOW3.9

Уязвимость клиента HTTP/1.1 Undici программной платформы Node.js, связанная с недостаточной защитой служебных данных в результате некорректной очистки заголовков Proxy-Authentication, позволяющая нарушителю повысить свои привилегии

Published: 2024-04-10Modified: 2025-04-29
CVSS 3.xLOW 3.9
CVSS:3.x/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 5.1
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
References
BDU:2024-03125
MEDIUM6.1

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Published: 2024-04-22Modified: 2026-03-04
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
CVE-2023-45143
LOW3.5

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Published: 2023-10-12Modified: 2024-11-21
CVSS 3.xLOW 3.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
References
CVE-2024-22019
HIGH7.5

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Published: 2024-02-20Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-24758
MEDIUM4.5

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: 2024-02-16Modified: 2024-12-17
CVSS 3.xMEDIUM 4.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
References
CVE-2024-27982
MEDIUM6.5

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Published: 2024-05-07Modified: 2026-04-15
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
References
CVE-2024-27983
HIGH8.2

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Published: 2024-04-09Modified: 2026-04-15
CVSS 3.xHIGH 8.2
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
References
CVE-2025-22150
MEDIUM6.8

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

Published: 2025-01-21Modified: 2026-04-15
CVSS 3.xMEDIUM 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
References
GHSA-3787-6prv-h9w3
LOW3.9

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Published: 2024-02-16Modified: 2024-05-02
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
References
GHSA-c76h-2ccp-4975
MEDIUM6.8

Use of Insufficiently Random Values in undici

Published: 2025-01-22
CVSS 3.xMEDIUM 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
References
GHSA-wqq4-5wpv-mx2g
LOW3.9

Undici's cookie header not cleared on cross-origin redirect in fetch

Published: 2023-10-16Modified: 2024-02-17
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
References