Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
- Severity:
- Low
Description
If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.11.1 < 5.28.4** Patched version(s): **6.11.1 5.28.4**
References
- GHSA-9qxr-qj54-h672
- hackerone.com
- lists.fedoraproject.org
- security.netapp.com
- CVE-2024-30261
- CWE-284
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on November 04, 2025