Tndud042713

**Name of the Vulnerable Software and Affected Versions** undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x **Description** When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a substring instead of requiring a case-insensitive exact match as specified by RFC 6265. This allows non-spec values to be silently mapped to standard tokens; for instance, SameSite=NoneOfYourBusiness is parsed as None, and SameSite=StrictLax is parsed as Lax. Applications that consume Set-Cookie headers via fetch or proxy code paths and rely on the parsed `sameSite` attribute can be coerced by a malicious or non-compliant server into applying a weaker SameSite policy, degrading the intended cookie enforcement. **Recommendations** Upgrade to version 6.26.0. Upgrade to version 7.28.0. Upgrade to version 8.5.0. As a temporary workaround, validate that the resulting `sameSite` attribute is exactly 'Strict', 'Lax', or 'None' (case-insensitive) after parsing a Set-Cookie header and before relying on it.

**Name of the Vulnerable Software and Affected Versions** undici versions 6.x prior to 6.26.0 undici versions 7.0.0 through 7.27.x undici versions 8.x prior to 8.5.0 **Description** The cookie parser in the `parseSetCookie` function percent-decodes cookie values using `qsUnescape`, which converts encoded sequences such as %0D%0A, %00, %3B, and %3D into literal byte equivalents. This behavior deviates from RFC 6265 §5.4 and browser standards, which do not specify such decoding. Applications that use `parseSetCookie`, `parseCookie`, or `getSetCookies` and subsequently forward these parsed values into response headers (such as proxies, middleware, or SSR frameworks) are susceptible to HTTP response header injection. This allows an attacker-controlled upstream source to inject arbitrary Set-Cookie, Location, or Cache-Control headers into the downstream response, potentially leading to session fixation, open redirect, or cache poisoning. **Recommendations** Upgrade to version 6.26.0 for versions in the 6.x branch. Upgrade to version 7.28.0 for versions in the 7.x branch. Upgrade to version 8.5.0 for versions in the 8.x branch. As a temporary workaround, sanitize values returned by `parseSetCookie()`, `parseCookie()`, or `getSetCookies()` to strip or reject CR, LF, NUL, ;, and = bytes before forwarding them into response headers.

**Name of the Vulnerable Software and Affected Versions** multer versions 1.0.0 through 2.1.1 multer version 3.0.0-alpha.1 **Description** A Denial of Service issue exists due to the way the `append-field` dependency parses bracket notation in field names within multipart form data. Because there is no limit on nesting depth, an attacker can send a single HTTP request with a crafted multipart body to force the allocation of deeply nested object structures, leading to excessive CPU and memory consumption. **Recommendations** For versions 1.0.0 through 2.1.1, upgrade to version 2.2.0 and configure the `limits.fieldNestingDepth` option to the minimum depth required by the application. For version 3.0.0-alpha.1, upgrade to version 3.0.0-alpha.2 and configure the `limits.fieldNestingDepth` option to the minimum depth required by the application. As a temporary mitigation, set `limits.fields` to a reasonable value to reduce the number of fields allowed per request.

**Name of the Vulnerable Software and Affected Versions** Happy DOM versions 15.10.0 through 20.8.7 **Description** Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions 15.10.0 through 20.8.7 contain a code injection issue in the `ECMAScriptModuleCompiler` component. This allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression. The quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. **Recommendations** Update to version 20.8.8 to resolve the issue.