CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-6733 |
LOW |
undici |
6.25.0 |
6.27.0, 7.28.0, 8.5.0 |
2026-06-17T18:18:05.473Z |
2026-06-24T10:18:20.293117067Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486c |
Description
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Remediation Steps
- Update the affected package
undici from version 6.25.0 to 6.27.0, 7.28.0, 8.5.0.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
LOWundici6.25.06.27.0, 7.28.0, 8.5.02026-06-17T18:18:05.473Z2026-06-24T10:18:20.293117067ZAffected Docker Images
public.ecr.aws/lambda/nodejs:24public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486cDescription
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Remediation Steps
undicifrom version6.25.0to6.27.0, 7.28.0, 8.5.0.About this issue