New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency undici to v6.21.1 [SECURITY] #1114

Merged

ericglau merged 1 commit into master from renovate/npm-undici-vulnerability

Jan 21, 2025

Contributor

renovate bot commented Jan 21, 2025

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`6.19.8` -> `6.21.1`

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

Release Notes

nodejs/undici (undici)

`v6.21.1`

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

fix(#3736): back-port 183f8e9 to v6.x by @ggoodman in https://github.com/nodejs/undici/pull/3855
fix(#3817): send servername for SNI on TLS (#3821) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3864
fix: sending formdata bodies with http2 (#3863) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3866
[Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @github-actions in https://github.com/nodejs/undici/pull/3877
types: [backport] Update return type of RetryCallback (#3851) by @metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

`v6.21.0`

What's Changed

[Backport v6.x] web: mark as uncloneable when possible (#3709) by @jazelly in https://github.com/nodejs/undici/pull/3744
[Backport v6.x] fetch: fix content-encoding order by @github-actions in https://github.com/nodejs/undici/pull/3764
[Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @github-actions in https://github.com/nodejs/undici/pull/3822
[Backport v6.x] fix: range end is zero-indexed by @github-actions in https://github.com/nodejs/undici/pull/3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

`v6.20.1`

`v6.20.0`

What's Changed

Remove patched dom types (v6.x branch) by @eXhumer in https://github.com/nodejs/undici/pull/3531
docs(Backport v6.x): Fix signature of RetryHandler by @github-actions in https://github.com/nodejs/undici/pull/3594
deps(dev): update @types/node by @metcoder95 in https://github.com/nodejs/undici/pull/3618
fix: throw on retry when payload is consume by downstream by @github-actions in https://github.com/nodejs/undici/pull/3596
feat(Backport v6.x): move throwOnError to interceptor by @github-actions in https://github.com/nodejs/undici/pull/3595
[Backport v6.x] fix: reduce memory usage in client-h1 by @github-actions in https://github.com/nodejs/undici/pull/3672
[Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @github-actions in https://github.com/nodejs/undici/pull/3673
[Backport v6.x] fix: run asserts first if possible by @github-actions in https://github.com/nodejs/undici/pull/3674
[Backport v6.x] fix: use fasttimers for all connection timeouts by @github-actions in https://github.com/nodejs/undici/pull/3675
[Backport v6.x] ci: less flaky test/request-timeout.js test by @github-actions in https://github.com/nodejs/undici/pull/3678
[Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @github-actions in https://github.com/nodejs/undici/pull/3679
[Backport v6.x] ignore leading and trailing crlfs in formdata body by @github-actions in https://github.com/nodejs/undici/pull/3681
[Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @github-actions in https://github.com/nodejs/undici/pull/3689
[Backport v6.x] handle body errors by @Uzlopak in https://github.com/nodejs/undici/pull/3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency undici to v6.21.1 [SECURITY]

73aead0

socket-security bot commented Jan 21, 2025

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

🚮 Removed packages: npm/@nomicfoundation/[email protected], npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected], npm/[email protected]

View full report↗︎

ericglau approved these changes

View reviewed changes

ericglau merged commit b739716 into master

13 checks passed

ericglau deleted the renovate/npm-undici-vulnerability branch

January 21, 2025 22:20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet