Threat Advisory

Undici Vulnerability Allows TLS Bypass via SOCKS5

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm package undici, affecting versions ≥ 7.23.0 < 7.28.0 and ≥ 8.0.0 < 8.5.0. The first issue enables a TLS certificate validation bypass when a SOCKS5 ProxyAgent is used, allowing a man‑in‑the‑middle attack that disregards custom trust settings. The second flaw permits a denial‑of‑service condition in the WebSocket client by bypassing cumulative payload limits, leading to unbounded memory consumption. Both vulnerabilities compromise data confidentiality and service availability, posing significant compliance and operational risks for organizations that rely on undici for HTTP and WebSocket communications.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm package undici, affecting versions ≥ 7.23.0 < 7.28.0 and ≥ 8.0.0 < 8.5.0. The first issue enables a TLS certificate validation bypass when a SOCKS5 ProxyAgent is used, allowing a man‑in‑the‑middle attack that disregards custom trust settings. The second flaw permits a denial‑of‑service condition in the WebSocket client by bypassing cumulative payload limits, leading to unbounded memory consumption. Both vulnerabilities compromise data confidentiality and service availability, posing significant compliance and operational risks for organizations that rely on undici for HTTP and WebSocket communications.[emaillocker id="1283"]

  • CVE-2026-9697 with a CVSS score of 7.4 – A TLS certificate validation bypass occurs in undici’s ProxyAgent when configured with a SOCKS5 proxy; the requestTls option is silently dropped, causing the connection to trust the default CA bundle and enabling a man‑in‑the‑middle attack. Exploitation requires the victim application to use undici’s ProxyAgent with SOCKS5 and to rely on custom TLS settings.
  • CVE-2026-9675 with a CVSS score of 7.5 – The undici WebSocket client fails to enforce a cumulative payload size across fragmented messages, allowing a malicious server to send many small fragments that together exhaust process memory and cause denial of service. An attacker must control or compromise the WebSocket endpoint that the client connects to.

These flaws represent high‑severity threats that demand immediate attention; if left unaddressed, enterprises risk unauthorized data interception, regulatory breaches, and service outages that can erode customer trust and incur significant financial impact.

RECOMMENDATION:

  • We recommend you to update undici to version 7.28.0. We recommend you to update undici to version 8.5.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-vmh5-mc38-953g
https://github.com/advisories/GHSA-38rv-x7px-6hhq

[/emaillocker]
crossmenu