These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9697 is a high-severity vulnerability (CVSS score of 7.4) affecting undici's ProxyAgent when used with SOCKS5 proxy URIs. The issue causes the requestTls option to be silently dropped, leading to a fallback to Node's default trust store. This can result in unintended trust anchor changes, allowing for potential MITM attacks. The vulnerability was introduced in undici version 7.23.0 and can be mit [truncated]
CVE-2026-11525 is a vulnerability in undici, a Node.js HTTP/1.1 client. When undici parses a Set-Cookie header, it accepts any SameSite attribute value containing 'Strict', 'Lax', or 'None' as a substring, rather than matching exactly as per RFC 6265. This allows malicious servers to coerce consumers into adopting weaker SameSite cookie policies, potentially leading to security downgrades. The issue was i [truncated]
CVE-2026-12151 is a high-severity vulnerability in the undici WebSocket client. A malicious WebSocket server can exploit this vulnerability by streaming many small or empty continuation frames, causing unbounded memory growth in the client process, leading to memory exhaustion and a denial of service. This vulnerability affects applications using the undici WebSocket client or the WebSocketStream API that [truncated]