What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @mcollina in #4892

Full Changelog: v7.24.3...v7.24.4

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @hxinhan in #4881

Full Changelog: v7.24.2...v7.24.3

What's Changed

• fix fetch path logic by @KhafraDev in #4890
• remove maxDecompressedMessageSize by @KhafraDev in #4891

Full Changelog: v7.24.1...v7.24.2

Full Changelog: v6.24.0...v6.24.1

What's Changed

• fix: proto pollution by @rahulyadav5524 in #4885

Full Changelog: v7.24.0...v7.24.1

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

• CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0
• CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

What's Changed

• fix: prevent AbortController GC when redirect is 'error' by @mcollina in #4750
• docs: clarify UndiciHeaders validation guidance by @mcollina in #4832
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @dependabot[bot] in #4795
• build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @dependabot[bot] in #4794
• build(deps): bump github/codeql-action from 4.31.2 to 4.32.0 by @dependabot[bot] in #4793
• test: add unexpected disconnect guards to client test files by @samayer12 in #4833
• fix fetch stripping trailing ? from url by @KhafraDev in #4837
• fix: forward onResponseStarted through WrapHandler and UnwrapHandler by @7rulnik in #4840
• webidl: access keys in lexicographical order by @KhafraDev in #4841
• ci: disable coverage on Node.js 25 by @mcollina in #4852
• build(deps): bump uWebSockets.js from v20.56.0 to v20.58.0 in /benchmarks by @dependabot[bot] in #4855
• fix(h2): TypeError: Cannot read properties of null (reading 'servername') in _resume when H2 stream completes by @hxinhan in #4847
• fix(h2): ignore late data frames after request completion by @mcollina in #4845
• fix(handler): preserve latin1 header encoding in WrapHandler by @theamodhshetty in #4859
• docs(examples): add cache interceptor example with fetch by @nthbotast in #4864
• docs(dispatcher): clarify onResponseStart return value is ignored by @nthbotast in #4865
• feat: add SOCKS5 proxy support to ProxyAgent by @mcollina in #4385
• fix: harden header iterable checks for prototype-pollution scenarios by @mcollina in #4824
• fix(interceptor): preserve tuple headers in dns interceptor by @theamodhshetty in #4863
• docs(dispatcher): use RFC 2606 domains in interceptor examples by @nthbotast in #4873
• feat: add IP prioritization hints for HTTP/1.1 and HTTP/2 by @amyssnippet in #4831
• docs: clarify when to install undici vs using Node's built-in fetch by @travisbreaks in #4868
• docs(dispatcher): add cache interceptor fetch example by @nthbotast in #4870
• fix(dispatcher): pass socketPath to custom connect callbacks by @theamodhshetty in #4857

New Contributors

• @samayer12 made their first contribution in #4833
• @7rulnik made their first contribution in #4840
• @hxinhan made their first contribution in #4847
• @theamodhshetty made their first contribution in #4859
• @nthbotast made their first contribution in #4864
• @amyssnippet made their first contribution in #4831
• @travisbreaks made their first contribution in #4868

Full Changelog: v7.22.0...v7.23.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @styfle in #4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @jackhax in #4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @SuperOleg39 in #4676
• fix: route WebSocket upgrades through onRequestUpgrade by @mcollina in #4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @dependabot[bot] in #4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @mcollina in #4818
• feat: Support async cache stores in revalidation by @marcopiraccini in #4826

New Contributors

• @jackhax made their first contribution in #4816
• @marcopiraccini made their first contribution in #4826

Full Changelog: v7.21.0...v7.22.0

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @dependabot[bot] in #4796
• test: restore global dispatcher after fetch tests by @mcollina in #4790
• Add missing close method to WebSocketStream interface by @piotr-cz in #4802
• fix: error stream instead of canceling by @KhafraDev in #4804
• Fix clientTtl cleanup race in Agent by @mcollina in #4807
• feat(#4230): Implement pingInterval for dispatching PING frames by @metcoder95 in #4296
• fix: handle undefined __filename in bundled environments by @mcollina in #4812
• fix: set finalizer only for fetch responses by @tsctx in #4803

New Contributors

• @piotr-cz made their first contribution in #4802

Full Changelog: v7.20.0...v7.21.0