Skip to content

High severity CVEs in the rest component #11500

New issue
New issue
Open
Open
High severity CVEs in the rest component#11500
Labels
bug
@clewisln

Description

@clewisln
clewisln
opened on Mar 16, 2026

Describe the bug

There are several CVEs posted against the version of undici used by the version of openapi that this project is using. As of the past few days some high severity items came in, so this probably should be looked at as its causing audit failures.

CVEs:
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - GHSA-g9mf-h72j-4rw9
Undici has an HTTP Request/Response Smuggling issue - GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via upgrade option - GHSA-4992-7rv2-5pvq

I am not sure what a good fix is here because the @openapi-contrib/openapi-schema-to-json-schema package that rest is relying on hasn't been updated in 3 years, so it is probably no longer maintained.

Logs

undici  <=6.23.0
Severity: high
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
fix available via `npm audit fix --force`
Will install @loopback/rest@7.0.1, which is a breaking change
node_modules/undici
  openapi-typescript  5.1.1 - 6.7.6
  Depends on vulnerable versions of undici
  node_modules/openapi-typescript
    @openapi-contrib/openapi-schema-to-json-schema  >=4.0.1
    Depends on vulnerable versions of openapi-typescript
    node_modules/@openapi-contrib/openapi-schema-to-json-schema
      @loopback/rest  >=13.1.1
      Depends on vulnerable versions of @openapi-contrib/openapi-schema-to-json-schema
      node_modules/@loopback/rest

Additional information

No response

Reproduction

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions