CVE-2026-9697 undici CVE debrief

Who should care

Developers and administrators using undici's ProxyAgent or Socks5ProxyAgent with SOCKS5 proxy URIs and relying on requestTls for TLS scope restriction should be aware of this vulnerability. This includes applications that pin to an internal or corporate CA via requestTls.ca, as they may be vulnerable to MITM attacks.

Technical summary

The vulnerability occurs when undici's ProxyAgent is configured with a SOCKS5 proxy URI (socks5:// or socks://). In this case, the requestTls option is silently dropped, causing the target HTTPS connection through the SOCKS5 tunnel to fall back to Node's default trust store. This ignores user-configured ca, cert, key, rejectUnauthorized, and servername settings. As a result, applications that rely on requestTls for TLS scope restriction may be compromised, allowing for potential MITM read and tamper of the HTTPS exchange.

Defensive priority

High

Recommended defensive actions

• Upgrade to undici version 7.28.0 or 8.5.0 to patch the vulnerability.
• Route traffic through an HTTP-proxy ProxyAgent as an alternative to SOCKS5.
• Review and update applications that use undici's ProxyAgent or Socks5ProxyAgent with SOCKS5 and rely on requestTls for TLS scope restriction.
• Monitor for potential MITM attacks and unusual traffic patterns.
• Implement additional security measures, such as certificate pinning and strict TLS verification.

Evidence notes

The vulnerability was introduced in undici version 7.23.0 when SOCKS5 support was added. The issue is confirmed by the OpenJSF and Node.js communities. [ref-4](https://cna.openjsf.org/security-advisories.html) and [ref-5](https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g) provide additional information on the vulnerability.

Official resources