Find, fix and prevent vulnerabilities in your code.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to HTTP Request Smuggling in the processHeader() while handling HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend servers.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report
• Red Hat Bugzilla Bug

Overview

fastify is an overhead web framework, for Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the sendWebStream function. An attacker can cause excessive memory consumption by sending a slow or non-reading client request, leading to unbounded buffering and severe performance degradation or process crashes.

Note: Only applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted

Workaround

This vulnerability can be mitigated by avoiding Fastify Web Streams in responses and instead using Node.js streams or buffered payloads.

Remediation

Upgrade fastify to version 5.7.3 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.

Remediation

Upgrade undici to version 6.23.0, 7.18.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Release

Overview

mercurius is a GraphQL adapter for Fastify

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to incorrect parsing of the Content-Type header. An attacker can perform unauthorized actions on behalf of an authenticated user by sending specially crafted cross-origin requests that bypass CORS protections.

PoC

// Server-side Fastify setup
const Fastify = require('fastify');
const mercurius = require('mercurius');

const app = Fastify();
const schema = `
  type Query {
    hello(name: String): String
  }
`;

const resolvers = {
  Query: {
    hello: (_, { name }) => `Hello ${name || 'World'}!`
  }
};

app.register(mercurius, { schema, resolvers });

app.listen(3000, () => {
  console.log('Server listening on http://localhost:3000');
});

// Malicious client-side code
fetch('http://localhost:3000/graphql', {
  method: 'POST',
  body: JSON.stringify({ query: '{ hello(name: "attacker") }' }),
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  credentials: 'include'
});

Remediation

Upgrade mercurius to version 16.4.0 or higher.

References

• GitHub Commit
• GitHub PR

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to CRLF Injection via the upgrade option of the client.request() function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTTP requests by sending specially crafted input, potentially leading to unauthorized information disclosure or bypassing of security controls.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report
• Red Hat Bugzilla Bug