Title: tools: bump undici from 6.23.0 to 6.24.0 in /tools/doc by dependabot[bot] · Pull Request #62247 · nodejs/node · GitHub
Open Graph Title: tools: bump undici from 6.23.0 to 6.24.0 in /tools/doc by dependabot[bot] · Pull Request #62247 · nodejs/node
X Title: tools: bump undici from 6.23.0 to 6.24.0 in /tools/doc by dependabot[bot] · Pull Request #62247 · nodejs/node
Description: Bumps undici from 6.23.0 to 6.24.0.
Release notes
Sourced from undici's releases.
v6.24.0
Undici v6.24.0 Security Release Notes (LTS)
This release backports fixes for security vulnerabilities affecting the v6 line.
Upgrade guidance
All users on v6 should upgrade to v6.24.0 or later.
Fixed advisories
GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).
GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.
GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.
GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.
GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.
Not applicable to v6
GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.
Affected and patched ranges (v6)
CVE-2026-1525: affected < 6.24.0, patched 6.24.0
CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
CVE-2026-1527: affected < 6.24.0, patched 6.24.0
CVE-2026-2229: affected < 6.24.0, patched 6.24.0
CVE-2026-1526: affected < 6.24.0, patched 6.24.0
References
GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526
Commits
8873c94 Bumped v6.24.0
411bd01 test(websocket): use node:assert for Node 18 compatibility
844bf59 test: fix http2 lint regressions in backport
a444e4f test: stabilize h2 and tls-cert-leak under current test runner
dc032a1 fix: h2 CI (#4395)
4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
7df6442 fix: adapt websocket frame-limit handling for v6 parser
4e0179a fix: reject duplicate content-length and host headers
5a97f08 Fix websocket 64-bit length overflow
e43e898 fix: validate upgrade header to prevent CRLF injection
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show
Open Graph Description: Bumps undici from 6.23.0 to 6.24.0. Release notes Sourced from undici's releases. v6.24.0 Undici v6.24.0 Security Release Notes (LTS) This release backports fixes for security vulnerabilities...
X Description: Bumps undici from 6.23.0 to 6.24.0. Release notes Sourced from undici's releases. v6.24.0 Undici v6.24.0 Security Release Notes (LTS) This release backports fixes for security vulnerabili...
Opengraph URL: https://github.com/nodejs/node/pull/62247
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:923283e5-f4e2-53a1-eceb-fcbd5062ee3a |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | B216:348CFA:17A6340:221C830:6A4CED6D |
| html-safe-nonce | 20a821a87a3a0fa83dfa1784316ce3970aa563c6f1c43491b7baab9fe35d18ee |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCMjE2OjM0OENGQToxN0E2MzQwOjIyMUM4MzA6NkE0Q0VENkQiLCJ2aXNpdG9yX2lkIjoiMzU1Mzc2ODA0OTczMDE4NjYwNiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | d4c21068b5374b37981695c466baf8e66667881f6aaa4ceabe371d267ddf6118 |
| hovercard-subject-tag | pull_request:3398492734 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/nodejs/node/pull/62247/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps undici from 6.23.0 to 6.24.0. Release notes Sourced from undici's releases. v6.24.0 Undici v6.24.0 Security Release Notes (LTS) This release backports fixes for security vulnerabilities... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 299b43bca6e02ad35197ffeba30d2466846d5fb02ab96fbced5b5e6cec589fb8 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | efec6750a5afcaeaf5dfcf629f404cf98c8371e3 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width