Update dependency undici to v7.2.3 [SECURITY] #5449
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
|
New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: pypi/[email protected], pypi/[email protected] |
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
62f18c0 to
eb01f48
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
eb01f48 to
ffb2082
Compare
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is an AI-detected potential code anomaly?AI has identified unusual behaviors that may pose a security risk. An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
This PR contains the following updates:
7.0.0->7.2.3GitHub Vulnerability Alerts
CVE-2025-22150
Impact
Undici
fetch()uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
Patches
This is fixed in 5.28.5; 6.21.1; 7.2.3.
Workarounds
Do not issue multipart requests to attacker controlled servers.
References
Release Notes
nodejs/undici (undici)
v7.2.3Compare Source
Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).
What's Changed
Full Changelog: nodejs/undici@v7.2.2...v7.2.3
v7.2.2Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.2.1...v7.2.2
v7.2.1Compare Source
What's Changed
undici:request:headersdoes not indicate completion of a response by @legendecas in https://github.com/nodejs/undici/pull/3974New Contributors
Full Changelog: nodejs/undici@v7.2.0...v7.2.1
v7.2.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.1.1...v7.2.0
v7.1.1Compare Source
What's Changed
request+ "Garbage Collection" by @WTCT-TOP in https://github.com/nodejs/undici/pull/3916New Contributors
Full Changelog: nodejs/undici@v7.1.0...v7.1.1
v7.1.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v7.0.0...v7.1.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.