Lpinca

**Name of the Vulnerable Software and Affected Versions** undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x **Description** The WebSocket client fails to limit the number of fragments in a message, only enforcing the `maxPayloadSize` on the cumulative byte count. A malicious server can send numerous small or empty continuation frames that bypass per-frame and cumulative-size validation, leading to unbounded memory growth, memory exhaustion, and a denial of service. This affects applications using the `new WebSocket(...)` client or the WebSocketStream API when connecting to a compromised or attacker-controlled endpoint. **Recommendations** Upgrade to version 6.26.0 or later for the 6.x branch. Upgrade to version 7.28.0 or later for the 7.x branch. Upgrade to version 8.5.0 or later for the 8.x branch.

**Name of the Vulnerable Software and Affected Versions** url-parse versions prior to 1.5.7 **Description** The issue allows for authorization bypass through a user-controlled key. A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, will return the incorrect href. This can lead to incorrect security decisions if the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request. **Recommendations** For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue. As a temporary workaround, consider validating the 'hostname' and 'origin' attributes of the output from url-parse to ensure they match expected values before using the 'href' attribute to make a request. Restrict the use of the `parse()` function with untrusted input until the issue is resolved.