Skip to content

[Aikido] Fix security issue in undici via minor version upgrade from 6.25.0 to 6.27.0 in with-react-native#38

Merged
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55966461-jsan
Jun 26, 2026
Merged

[Aikido] Fix security issue in undici via minor version upgrade from 6.25.0 to 6.27.0 in with-react-native#38
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55966461-jsan

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Upgrade undici to fix WebSocket DoS vulnerability allowing unbounded memory growth through fragment flooding.

⚠️ Breaking changes in this upgrade

All breaking changes by upgrading undici from version 6.25.0 to 6.27.0 (CHANGELOG)

Version Description
6.27.0
parseSetCookie no longer applies percent-decoding to cookie values, changing behavior for encoded sequences like %0D%0A and %00 which were previously decoded into literal bytes but are now preserved as-is per RFC 6265 §5.4
6.27.0
SameSite cookie attribute parsing now requires exact matches (Strict, Lax, or None) instead of accepting these values as substrings, rejecting previously accepted values like SameSite=NoneOfYourBusiness or SameSite=StrictLax
✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-12151
HIGH
[undici] WebSocket client fails to limit the number of message fragments, allowing a malicious server to send many frames causing unbounded memory growth and denial of service.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@socket-security

Copy link
Copy Markdown

Dependency limit exceeded — report not shown.

This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report.

Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard.

Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account.

@yosriady yosriady merged commit c570835 into main Jun 26, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant