Vulnerable Library - discord.js-14.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (discord.js version) |
Remediation Possible** |
| CVE-2026-4800 |
 High |
8.1 |
lodash-4.17.21.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-2229 |
High |
7.5 |
undici-6.21.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1528 |
High |
7.5 |
undici-6.21.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1526 |
High |
7.5 |
undici-6.21.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-13465 |
High |
7.2 |
lodash-4.17.21.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-2950 |
 Medium |
6.5 |
lodash-4.17.21.tgz |
Transitive |
14.19.0 |
✅ |
| CVE-2026-1525 |
Medium |
6.5 |
undici-6.21.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-22036 |
Medium |
5.9 |
undici-6.21.1.tgz |
Transitive |
14.26.0 |
✅ |
| CVE-2026-1527 |
Medium |
4.6 |
undici-6.21.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-47279 |
 Low |
3.1 |
undici-6.21.1.tgz |
Transitive |
14.20.0 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- builders-1.10.1.tgz
- shapeshift-4.0.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
CVE-2026-2229
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
CVE-2026-1528
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: 2026-03-12
URL: CVE-2026-1528
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f269-vfmq-vjvj
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
CVE-2026-1526
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- builders-1.10.1.tgz
- shapeshift-4.0.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash - 4.17.23,lodash-amd - 4.17.23,lodash-es - 4.17.23
CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- builders-1.10.1.tgz
- shapeshift-4.0.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution (lodash): 4.17.23
Direct dependency fix Resolution (discord.js): 14.19.0
In order to enable automatic remediation, please create workflow rules
CVE-2026-1525
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
CVE-2026-22036
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (discord.js): 14.26.0
In order to enable automatic remediation, please create workflow rules
CVE-2026-1527
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += "connection: upgrade\r\nupgrade: ${upgrade}\r\n"
}
Publish Date: 2026-03-12
URL: CVE-2026-1527
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4992-7rv2-5pvq
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
CVE-2025-47279
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- discord.js-14.18.0.tgz (Root Library)
- ❌ undici-6.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution (undici): 6.21.2
Direct dependency fix Resolution (discord.js): 14.20.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: 2026-03-12
URL: CVE-2026-1528
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f269-vfmq-vjvj
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash - 4.17.23,lodash-amd - 4.17.23,lodash-es - 4.17.23
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution (lodash): 4.17.23
Direct dependency fix Resolution (discord.js): 14.19.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Potential consequences:
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution (undici): 6.23.0
Direct dependency fix Resolution (discord.js): 14.26.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += "connection: upgrade\r\nupgrade: ${upgrade}\r\n"
}
Publish Date: 2026-03-12
URL: CVE-2026-1527
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4992-7rv2-5pvq
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Vulnerable Library - undici-6.21.1.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution (undici): 6.21.2
Direct dependency fix Resolution (discord.js): 14.20.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules