⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in
v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
6.x and 7.x lines are not affected).

• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 42d49559 fix: honor requestTls when proxy is SOCKS5

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

• Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
  requestTls.
• Workaround: route traffic through an HTTP-proxy ProxyAgent, where
  requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346 · Fixed in 8.2.0
Fix: a516f870 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

• Affected: applications using Socks5ProxyAgent across multiple origins
  (introduced via #4385).
• Workaround: use a separate agent instance per origin.

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: cb105d7c fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

• Affected: apps using the cache interceptor in shared mode that forward
  Authorization upstream and receive non-canonical qualified directives.
• Workaround: disable shared-cache mode for authenticated traffic, avoid
  caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: 6ea54ef8 fix: guard idle socket validation to skip fresh sockets, hardened by c9fbe9d2 keep idle validation on native timers (#5397) and ac5394b8 keep idle validation on global timers (#5407)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

Also in v8.5.0 (non-security)

v8.5.0 shipped the security fixes above alongside the following changes. These
are not security fixes — they are listed for completeness of the release. (The
two queue-poisoning hardening PRs, #5397
and #5407, are covered under
CVE-2026-6733 above and are not repeated here.)

• HTTP/2: #5408 don't rewind kPendingIdx past in-flight requests · #5391 allow h2 POST request multiplexing · #5406 reap idle HTTP/2 sessions · #5410 preserve h2 queue on out-of-order completion
• Features: #5416 add bodyMixin.textStream() · #5418 align EventSource with spec
• Docs / CI / tests: #5413 document request header validation · [#5383](...

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is
an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the
earlier 7.2x line — the vulnerable single-pool code was still present through
v7.27.2. The per-origin pool fix is
3805b8f8 (#5041).

Summary

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 04201f89 fix: honor requestTls when proxy is SOCKS5 (#5417)

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

• Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
  requestTls.
• Workaround: route traffic through an HTTP-proxy ProxyAgent, where
  requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346
Fix: 3805b8f8 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

• Affected: applications using Socks5ProxyAgent across multiple origins
  (introduced in 7.23.0 via #4385).
• Workaround: use a separate agent instance per origin.

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: 85a24055 fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

• Affected: apps using the cache interceptor in shared mode that forward
  Authorization upstream and receive non-canonical qualified directives.
• Workaround: disable shared-cache mode for authenticated traffic, avoid
  caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: ea8930cf fix: guard idle socket validation to skip fresh sockets, hardened by 8e4046e4 keep idle validation on native timers (#5402) and 0fa80869 keep idle validation on global timers (#5409)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

Release contents & deliberate backports

v7.28.0 is a security-only release — every change in it is one of the fixes
above, backported to the v7.x maintenance line on purpose from the v8
development line:

• #5423 — backport of the WebSocket maxPayloadSize fragment-count / cumulative-size limits (CVE-2026-12151).
• #5402 & #5409 — backport of the idle-validation hardening (native + global timers) for the queue-poisoning fix (CVE-2026-6733).
• #5417 — requestTls over SOCKS5 fix (CVE-2026-9697).

The cookie (d0574cc4),
cache (85a24055) and
queue-poisoning core (ea8930cf)
fixes were applied directly to the v7.x branch. Full changelog:
v7.27.2...v7.28.0.

Credits

Per-advisory credits (as recorded in each GHSA):

• CVE-2026-12151 — reported by @lpinca & @Nadav0077; reviewed by @UlisesGascon.
• CVE-2026-9697 — reported by @tonghuaroot; reviewed by @UlisesGascon.
• CVE-2026-6734 — reported by [@ChALkeR](https://github.co...

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0
— v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none
of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g,
GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the
8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service. All releases from 6.17.0 onward are affected.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 25efa447 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 25efa447 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: f4c31d60 fix: guard idle socket validation to skip fresh sockets (#5400)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

Release contents & deliberate backports

v6.27.0 is a security-only release — every change in it is one of the fixes
above, backported to the v6.x maintenance line on purpose:

• #5428 — backport of the WebSocket maxPayloadSize fragment-count / cumulative-size limits to v6.x (CVE-2026-12151; this is the v6 counterpart of the v7 backport #5423).
• #5400 — idle-socket-validation fix for the queue-poisoning issue (CVE-2026-6733).

The cookie fix (25efa447,
covering both CVE-2026-9679 and CVE-2026-11525) was applied directly to the v6.x
branch. Full changelog:
v6.26.0...v6.27.0.

Credits

Per-advisory credits (as recorded in each GHSA):

• CVE-2026-12151 — reported by @lpinca & @Nadav0077; reviewed by @UlisesGascon.
• CVE-2026-9679 — reported by @tndud042713; fixed by @mcollina; reviewed by @KhafraDev & @UlisesGascon.
• CVE-2026-11525 — fixed by @mcollina; reviewed by @UlisesGascon.
• CVE-2026-6733 — fixed by @mcollina; verified by @UlisesGascon.

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @mcollina in #5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#5216) by @mcollina in #5343
• fix(dns): skip requests without origin by @marko1olo in #5376
• docs: add Getting Started guide by @AliMahmoudDev in #5371
• docs: fix code examples that crash at runtime and other inaccuracies by @AliMahmoudDev in #5386
• fix: handle paused parser on socket end (issue #5360) by @mcollina in #5389
• fix(client): reject pipelined TLS altname errors by @marko1olo in #5373
• docs: fix multiple inaccuracies in API documentation by @AliMahmoudDev in #5384
• docs: fix remaining broken links in API documentation by @AliMahmoudDev in #5342

New Contributors

• @marko1olo made their first contribution in #5376

Full Changelog: v8.4.0...v8.4.1

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @mcollina in #5272
• test: stabilize tls-cert-leak regression by @mcollina in #5306
• fix: replace tspl with native test context in test/examples.js by @mcollina in #5300
• http2: remove redundant request stream binding by @trivikr in #5302
• test: limit cache-tests workers on Windows by @mcollina in #5309
• test: use test context cleanup hooks in parser issue tests by @mcollina in #5282
• Add redirect option to strip headers on redirect by @mcollina in #5281
• chore(test): fix lint failure by @aduh95 in #5316
• chore(ci): use npm ci instead of npm install by @aduh95 in #5315
• docs: clarify formData security considerations by @mcollina in #5320
• docs: add EventSource server example by @Will-thom in #5321
• fix(core): simplify addAbortListener util by @aduh95 in #5317
• build(deps-dev): bump ws from 8.20.0 to 8.21.0 by @dependabot[bot] in #5325
• build(deps-dev): bump jsondiffpatch from 0.7.3 to 0.7.6 by @dependabot[bot] in #5313
• docs: match undici EoL to node version it's bundled in by @trivikr in #5330
• fix: handle all HTTP/2 request stream sync errors by @mcollina in #5311
• fix: preserve timeout errors for HTTP/2 requests by @mcollina in #5091
• fix(core): normalize autoSelectFamily timeout AggregateError by @youcefzemmar in #5329
• chore(core): define kEnumerableProperty atomically by @aduh95 in #5332
• chore(core): use regex.exec instead of string.match by @aduh95 in #5331
• fix: reset invalid HTTP/2 sessions by @mcollina in #5310
• feat(connect): add preferH2 connector option to offer h2 first in ALPN by @Antamansid in #5327
• test: fix flaky http2 trailers test by @mcollina in #5338
• fix(mock): restore single-arg MockCallHistory.filterCallsByX by @youcefzemmar in #5328
• docs: document missing error types in Errors.md by @cesarvspr in #5339
• build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @dependabot[bot] in #5346
• build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @dependabot[bot] in #5347
• build(deps): bump uWebSockets.js from v20.67.0 to v20.68.0 in /benchmarks by @dependabot[bot] in #5352
• build(deps): bump concurrently from 9.2.1 to 10.0.3 in /benchmarks by @dependabot[bot] in #5353
• build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4 by @dependabot[bot] in #5348
• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in #5351
• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 by @dependabot[bot] in #5349
• docs: improve connect option documentation in Client.md by @AliMahmoudDev in #5344
• fix(mock): do not persist snapshots on close in playback mode by @GeoffreyBooth in #5359
• fix(fetch): remove abort listener when request settles by @ATOM00blue in #5318
• test: add Node.js global fetch regression coverage by @mcollina in #5361
• fix(h2): make Client multiplex on h2 (#4143) by @mcollina in #5362

New Contributors

• @Will-thom made their first contribution in #5321
• @youcefzemmar made their first contribution in #5329
• @Antamansid made their first contribution in #5327
• @cesarvspr made their first contribution in #5339
• @AliMahmoudDev made their first contribution in #5344
• @ATOM00blue made their first contribution in #5318

Full Changelog: v8.3.0...v8.4.0

What's Changed

• fix: use legacy global dispatcher in v7 by @mcollina in #5368

Full Changelog: v7.27.1...v7.27.2

What's Changed

• fix: preserve raw headers in dispatch handler bridge by @mcollina in #5345

Full Changelog: v7.27.0...v7.27.1

What's Changed

• [7.x] fix: support Node 26 and legacy global dispatcher by @mcollina in #5319

Full Changelog: v7.26.0...v7.27.0

What's Changed

• fix: backport safe main fixes to v7.x by @mcollina in #5136
• fix: validate EOF for chunked h1 responses by @mcollina in #5307

Full Changelog: v7.25.0...v7.26.0

What's Changed

• fix: validate EOF for chunked h1 responses by @mcollina in #5308

Full Changelog: v6.25.0...v6.26.0