v8.61.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#​12388)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#​12413)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#​12394, #​12393)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#​12281)
• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#​12396, #​10577)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v5.55.0

Compare Source

• 52ebd28f58 feat(clients): release Agent Studio package updates (#​6573) by @​Fluf22

v5.54.1

Compare Source

• 3a0bad1d01 fix(javascript): use proper null check instead of truthiness for required params (#​6498) by @​Fluf22

v8.5.0

Compare Source

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in
v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
6.x and 7.x lines are not affected).

• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 42d49559 fix: honor requestTls when proxy is SOCKS5

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

• Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
  requestTls.
• Workaround: route traffic through an HTTP-proxy ProxyAgent, where
  requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346 · Fixed in 8.2.0
Fix: a516f870 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#​5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

• Affected: applications using Socks5ProxyAgent across multiple origins
  (introduced via #​4385).
• Workaround: use a separate agent instance per origin.

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: cb105d7c fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

• Affected: apps using the cache interceptor in shared mode that forward
  Authorization upstream and receive non-canonical qualified directives.
• Workaround: disable shared-cache mode for authenticated traffic, avoid
  caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#​3789.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: 6ea54ef8 fix: guard idle socket validation to skip fresh sockets, hardened by c9fbe9d2 keep idle validation on native timers (#​5397) and ac5394b8 keep idle validation on global timers (#​5407)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

Also in v8.5.0 (non-security)

v8.5.0 shipped the security fixes above alongside the following changes. These
are not security fixes — they are listed for completeness of the release. (The
two queue-poisoning hardening PRs, #​5397
and #​5407, are covered under
CVE-2026-6733 above and are not repeated here.)

• HTTP/2: #5408 don't rewind kPendingIdx past in-flight requests · #5391 allow h2 POST request multiplexing · #5406 reap idle HTTP/2 sessions · #5410 preserve h2 queue on out-of-order completion
• Features: #5416 add bodyMixin.textStream() · #5418 align EventSource with spec
• Docs / CI / tests: #5413 document request header validation · #5383 absorb h2 stream timeout resets (test) · #5420 remove stale repro + lint · #5426 extend Windows CI timeout · #5427 detect available python in WPT runner

Full changelog: v8.4.1...v8.5.0.

Credits

Per-advisory credits (as recorded in each GHSA):

• CVE-2026-12151 — reported by @​lpinca & @​Nadav0077; reviewed by @​UlisesGascon.
• CVE-2026-9675 — reported by @​mauriceng98 & @​Str1ckl4nd; fixed by @​mcollina & @​KhafraDev; reviewed by @​UlisesGascon.
• CVE-2026-9697 — reported by @​tonghuaroot; reviewed by @​UlisesGascon.
• CVE-2026-6734 — reported by @​ChALkeR; reviewed by @​mcollina; verified by @​UlisesGascon.
• CVE-2026-9678 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-9679 — reported by @​tndud042713; fixed by @​mcollina; reviewed by @​KhafraDev & @​UlisesGascon.
• CVE-2026-11525 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-6733 — fixed by @​mcollina; verified by @​UlisesGascon.