Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc
- Severity:
- Medium
Description
The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **< 6.23.0 >= 7.0.0, < 7.18.2** Patched version(s): **6.23.0 7.18.2**
References
Related Issues
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga - CVE-2025-65110
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 22, 2026