Description
Impact:
When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.

This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.

Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.

This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.

Patches:
Upgrade to undici v7.26.0 or v8.2.0.

Workarounds:
Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

undici reuses a single connection pool for all origins when the Socks5ProxyAgent is used, failing to validate that the pool matches the intended target. As a result, requests meant for one origin are routed to another, sending credentials and request payloads to an unauthorized server and accepting responses from the wrong source. HTTPS requests may also be silently downgraded to HTTP, exposing data to eavesdropping.

Affected Systems

The vulnerability affects the undici library, specifically versions 7.23.0 through 8.1.0. Any application that imports undici and uses Socks5ProxyAgent or sets it globally to make HTTP or HTTPS requests to multiple distinct origins is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is below 1 %, signifying very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers must exploit client software that employs the shared Socks5ProxyAgent; therefore, the risk primarily lies with misconfigured or vulnerable applications rather than a widespread public exploitation vector.

Generated by OpenCVE AI on June 18, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to v7.26.0 or v8.2.0 to apply the vendor patch
  • When the upgrade cannot be performed immediately, create a separate Socks5ProxyAgent instance for each origin or avoid using the agent with multiple origins
  • Audit the application code to ensure that no shared global dispatcher or proxy agent connects to multiple origins

Generated by OpenCVE AI on June 18, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-940
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.
Title undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Redhat Hummingbird
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-17T18:26:51.736Z

Reserved: 2026-04-20T22:57:40.878Z

Link: CVE-2026-6734

cve-icon Vulnrichment

Updated: 2026-06-17T18:26:47.055Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T16:36:55Z

Links: CVE-2026-6734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-940

    Improper Verification of Source of a Communication Channel