PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6734 undici CVE debrief

CVE-2026-6734 is a high-severity vulnerability affecting the undici module in Node.js. The vulnerability arises from the improper reuse of a single connection pool across different origins when using Socks5ProxyAgent. This can lead to cross-origin request routing, where credentials and request data intended for one origin are sent to another. The impact is significant, with a CVSS score of 7.5 and a HIGH severity rating. The vulnerability was introduced in undici version 7.23.0 and affects all versions up to 8.1.0. Users of Socks5ProxyAgent who make requests to multiple origins are particularly impacted.

Vendor
undici
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-07-07
Advisory published
2026-06-17
Advisory updated
2026-07-07

Who should care

Developers and administrators using undici, especially those who utilize Socks5ProxyAgent across multiple origins, should be aware of this vulnerability. Applications that rely on undici for handling HTTP requests and use Socks5ProxyAgent are at risk. This includes scenarios where undici is used directly or via setGlobalDispatcher. Given the high severity and potential for unauthorized access, immediate attention is recommended.

Technical summary

The vulnerability in undici arises from the Socks5ProxyAgent's improper handling of connection pools across different origins. When using Socks5ProxyAgent, undici reuses a single connection pool without verifying that the pool's origin matches the requested origin. This leads to cross-origin request routing issues, where requests and credentials intended for one origin may be sent to another. The vulnerability was introduced in undici version 7.23.0 and affects versions up to 8.1.0. The issue can be mitigated by upgrading to undici version 7.26.0 or 8.2.0, or by using separate Socks5ProxyAgent instances per origin.

Defensive priority

High

Recommended defensive actions

  • Upgrade to undici version 7.26.0 or 8.2.0
  • Use separate Socks5ProxyAgent instances per origin
  • Review and update affected applications to ensure proper isolation of origins
  • Monitor for suspicious cross-origin request activity
  • Perform vulnerability scanning to identify exposed systems
  • Implement additional logging and monitoring for cross-origin requests
  • Review and update incident response plans to address potential exploitation

Evidence notes

The CVE record was published on 2026-06-17T18:18:05.617Z and last modified on 2026-07-06T13:17:09.423Z. The NVD entry is currently Modified. Vendor advisories and mitigation strategies are available, including upgrades to undici versions 7.26.0 or 8.2.0.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:05.617Z and has not been modified since then. The NVD entry is currently Modified.