[Pkg-javascript-devel] Bug#1125679: node-undici: CVE-2026-22036
Salvatore Bonaccorso
carnil at debian.org
Thu Jan 15 21:02:10 GMT 2026
Source: node-undici
Version: 7.16.0+dfsg+~cs3.2.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-undici.
CVE-2026-22036[0]:
| Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and
| 6.23.0, the number of links in the decompression chain is unbounded
| and the default maxHeaderSize allows a malicious server to insert
| thousands compression steps leading to high CPU usage and excessive
| memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22036
https://www.cve.org/CVERecord?id=CVE-2026-22036
[1] https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
[2] https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list