THE content details four significant vulnerabilities in the 'undici' npm package, which is a Node.js HTTP client with over 133 million weekly downloads. The vulnerabilities include CVE-2026-6734 and CVE-2026-9697, which allow for cross-origin request routing and TLS certificate validation bypass, potentially leading to data leaks and security risks. The other two, CVE-2026-12151 and CVE-2026-9675, can cause denial of service via malicious WebSocket connections.
No confirmed exploitations have been reported, but patches are available in versions 7.28.0, 8.2.0, 7.26.0, and 8.5.0. Users are advised to update their packages promptly.