Vulnerable Library - wrangler-2.0.28.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-0933
Vulnerable Library - wrangler-2.0.28.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Dependency Hierarchy:
- ❌ wrangler-2.0.28.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
- Run any shell command.
- Exfiltrate environment variables.
- Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation
- Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
- Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
- Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Publish Date: 2026-01-20
URL: CVE-2026-0933
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-20
Fix Resolution: 3.114.17
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
CVE-2023-7080
Vulnerable Library - wrangler-2.0.28.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Dependency Hierarchy:
- ❌ wrangler-2.0.28.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.
This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-12-29
URL: CVE-2023-7080
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7080
Release Date: 2023-12-29
Fix Resolution: 2.20.2
Step up your Open Source Security Game with Mend here
CVE-2026-48779
Vulnerable Library - ws-8.8.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- web-sockets-2.7.1.tgz
- ❌ ws-8.8.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Publish Date: 2026-06-16
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/websockets/ws.git - 7.5.11,https://github.com/websockets/ws.git - 8.21.0,https://github.com/websockets/ws.git - 6.2.4,https://github.com/websockets/ws.git - 5.2.5
Step up your Open Source Security Game with Mend here
CVE-2026-33895
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33894
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33891
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33671
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- shared-2.7.1.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-2229
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1526
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-12151
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Publish Date: 2026-06-17
URL: CVE-2026-12151
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vxpw-j846-p89q
Release Date: 2026-06-17
Fix Resolution: undici - 8.5.0,undici - 7.28.0,undici - 6.27.0,https://github.com/nodejs/undici.git - v7.28.0,https://github.com/nodejs/undici.git - v6.27.0,https://github.com/nodejs/undici.git - v8.5.0
Step up your Open Source Security Game with Mend here
CVE-2025-66031
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
CVE-2024-45296
Vulnerable Library - path-to-regexp-6.2.1.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-to-regexp/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- ❌ path-to-regexp-6.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 6.3.0
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- chokidar-3.5.3.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2024-37890
Vulnerable Library - ws-8.8.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- web-sockets-2.7.1.tgz
- ❌ ws-8.8.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 8.17.1
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
CVE-2023-24807
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the "Headers.set()" and "Headers.append()" methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the "headerValueNormalize()" utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-24807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
CVE-2026-33896
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, "pki.verifyCertificateChain()" does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the "basicConstraints" and "keyUsage" extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33896
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2025-22150
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution (undici): 5.28.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-1525
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
CVE-2023-23936
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect "host" HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the "headers.host" string before passing to undici.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-23936
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
CVE-2026-9679
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
- wrangler-2.0.28.tgz (Root Library)
- miniflare-2.7.1.tgz
- ❌ undici-5.9.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.
This was introduced in undici 7.0.0 via PR #3789.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
Publish Date: 2026-06-17
URL: CVE-2026-9679
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p88m-4jfj-68fv
Release Date: 2026-06-17
Fix Resolution (undici): 6.27.0
Direct dependency fix Resolution (wrangler): 4.24.4
Step up your Open Source Security Game with Mend here
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - wrangler-2.0.28.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
Credits Disclosed responsibly by kny4hacker.
Mitigation
Publish Date: 2026-01-20
URL: CVE-2026-0933
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-20
Fix Resolution: 3.114.17
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - wrangler-2.0.28.tgz
Command-line interface for all things Cloudflare Workers
Library home page: https://registry.npmjs.org/wrangler/-/wrangler-2.0.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrangler/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.
This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-12-29
URL: CVE-2023-7080
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7080
Release Date: 2023-12-29
Fix Resolution: 2.20.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-8.8.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Publish Date: 2026-06-16
URL: CVE-2026-48779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/websockets/ws.git - 7.5.11,https://github.com/websockets/ws.git - 8.21.0,https://github.com/websockets/ws.git - 6.2.4,https://github.com/websockets/ws.git - 5.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Publish Date: 2026-06-17
URL: CVE-2026-12151
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vxpw-j846-p89q
Release Date: 2026-06-17
Fix Resolution: undici - 8.5.0,undici - 7.28.0,undici - 6.27.0,https://github.com/nodejs/undici.git - v7.28.0,https://github.com/nodejs/undici.git - v6.27.0,https://github.com/nodejs/undici.git - v8.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-6.2.1.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-to-regexp/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 6.3.0
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-13
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-8.8.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-8.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution (ws): 8.17.1
Direct dependency fix Resolution (wrangler): 2.0.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the "Headers.set()" and "Headers.append()" methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the "headerValueNormalize()" utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-24807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, "pki.verifyCertificateChain()" does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the "basicConstraints" and "keyUsage" extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33896
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution (undici): 5.28.5
Direct dependency fix Resolution (wrangler): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Potential consequences:
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect "host" HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the "headers.host" string before passing to undici.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-02-16
URL: CVE-2023-23936
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-5.9.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.
This was introduced in undici 7.0.0 via PR #3789.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
Publish Date: 2026-06-17
URL: CVE-2026-9679
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p88m-4jfj-68fv
Release Date: 2026-06-17
Fix Resolution (undici): 6.27.0
Direct dependency fix Resolution (wrangler): 4.24.4
Step up your Open Source Security Game with Mend here