CVE-2026-6734

Name of the Vulnerable Software and Affected Versions undici versions 7.23.0 through 8.1.0

Description When using Socks5ProxyAgent, the software reuses a single connection pool across different origins without verifying if the pool's origin matches the requested origin. This leads to cross-origin request routing, where all requests are dispatched through the pool connected to the first origin regardless of the intended destination. Consequently, credentials and request data meant for one origin are sent to another, responses from incorrect origins are trusted, and HTTPS requests may be silently downgraded to HTTP.

Recommendations For versions 7.23.0 through 7.25.x, upgrade to version 7.26.0. For versions 8.0.0 through 8.1.0, upgrade to version 8.2.0. Use a separate Socks5ProxyAgent instance per origin. Avoid using Socks5ProxyAgent with multiple origins.