CVE-2026-9697

Name of the Vulnerable Software and Affected Versions undici versions 7.23.0 through 7.27.x undici versions 8.0.0 through 8.4.x

Description The ProxyAgent in undici silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). This causes the target HTTPS connection through the SOCKS5 tunnel to fall back to the default Node.js trust store, ignoring user-defined settings such as ca, cert, key, rejectUnauthorized, and servername. Consequently, applications that rely on requestTls.ca to pin to an internal or corporate Certificate Authority (CA) will instead use the default Mozilla CA bundle. This allows any certificate signed by a publicly trusted CA for the target hostname to be accepted, enabling Man-in-the-Middle (MITM) attacks to read and tamper with the HTTPS exchange.

Recommendations Upgrade to version 7.28.0. Upgrade to version 8.5.0. Route traffic through an HTTP-proxy ProxyAgent instead of a SOCKS5 proxy to ensure requestTls is honored correctly.