PatchSiren cyber security CVE debrief
CVE-2026-6734 undici CVE debrief
CVE-2026-6734 is a high-severity vulnerability affecting the undici module in Node.js. The vulnerability arises from the improper reuse of a single connection pool across different origins when using Socks5ProxyAgent. This can lead to cross-origin request routing, where credentials and request data intended for one origin are sent to another. The impact is significant, with a CVSS score of 7.5 and a HIGH severity rating. The vulnerability was introduced in undici version 7.23.0 and affects all versions up to 8.1.0. Users of Socks5ProxyAgent who make requests to multiple origins are particularly impacted.
- Vendor
- undici
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-07-07
Who should care
Developers and administrators using undici, especially those who utilize Socks5ProxyAgent across multiple origins, should be aware of this vulnerability. Applications that rely on undici for handling HTTP requests and use Socks5ProxyAgent are at risk. This includes scenarios where undici is used directly or via setGlobalDispatcher. Given the high severity and potential for unauthorized access, immediate attention is recommended.
Technical summary
The vulnerability in undici arises from the Socks5ProxyAgent's improper handling of connection pools across different origins. When using Socks5ProxyAgent, undici reuses a single connection pool without verifying that the pool's origin matches the requested origin. This leads to cross-origin request routing issues, where requests and credentials intended for one origin may be sent to another. The vulnerability was introduced in undici version 7.23.0 and affects versions up to 8.1.0. The issue can be mitigated by upgrading to undici version 7.26.0 or 8.2.0, or by using separate Socks5ProxyAgent instances per origin.
Defensive priority
High
Recommended defensive actions
- Upgrade to undici version 7.26.0 or 8.2.0
- Use separate Socks5ProxyAgent instances per origin
- Review and update affected applications to ensure proper isolation of origins
- Monitor for suspicious cross-origin request activity
- Perform vulnerability scanning to identify exposed systems
- Implement additional logging and monitoring for cross-origin requests
- Review and update incident response plans to address potential exploitation
Evidence notes
The CVE record was published on 2026-06-17T18:18:05.617Z and last modified on 2026-07-06T13:17:09.423Z. The NVD entry is currently Modified. Vendor advisories and mitigation strategies are available, including upgrades to undici versions 7.26.0 or 8.2.0.
Official resources
-
CVE-2026-6734 CVE record
CVE.org
-
CVE-2026-6734 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:05.617Z and has not been modified since then. The NVD entry is currently Modified.