undici is vulnerable to Denial of Service (DoS)
37
Low Risk
The HTTP/2 client dispatcher mishandles stream lifecycle events. A response frame delivered to a still-live stream after the request has already completed calls the response-start path post-completion, tripping an internal assert(!this.completed) that throws on the HTTP/2 event tick and escapes as an uncaught exception that crashes the process; a session that has received GOAWAY rejects new streams and crashes instead of requeuing the request, and streams aborted with close() can leave the native HTTP/2 stream handle alive on busy multiplexed sessions. A malicious or misbehaving HTTP/2 server can drive these paths to crash the client or exhaust resources. The fix guards response handling against already-completed requests, requeues requests on GOAWAY'd sessions, and deterministically destroys aborted streams.
You are affected if you are using a version that falls within the vulnerable range and have HTTP/2 support enabled (for example allowH2: true).
undici is vulnerable to Denial of Service (DoS) in versions 8.3.0 - 8.6.0.
Upgrade the undici library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant