Update dependency undici to v6.21.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	6.19.2 -> 6.21.2

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in #​4024
• [v6.x] fix wpts on windows by @​mcollina in #​4093
• Removed clients with unrecoverable errors from the Pool #​4088

New Contributors

• @​slagiewka made their first contribution in #​4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#​3736): back-port 183f8e9 to v6.x by @​ggoodman in #​3855
• fix(#​3817): send servername for SNI on TLS (#​3821) [backport] by @​metcoder95 in #​3864
• fix: sending formdata bodies with http2 (#​3863) [backport] by @​metcoder95 in #​3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in #​3877
• types: [backport] Update return type of RetryCallback (#​3851) by @​metcoder95 in #​3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

• [Backport v6.x] web: mark as uncloneable when possible (#​3709) by @​jazelly in #​3744
• [Backport v6.x] fetch: fix content-encoding order by @​github-actions in #​3764
• [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @​github-actions in #​3822
• [Backport v6.x] fix: range end is zero-indexed by @​github-actions in #​3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

• [Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @​github-actions in #​3710
• [Backport v6.x] feat: implement BodyReadable.bytes by @​github-actions in #​3711
• fix: add more expectsPayload methods by @​ronag in #​3715
• [Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#​3707) by @​Uzlopak in #​3724
• [Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @​github-actions in #​3723
• [Backport v6.x] fix: extract noop everywhere by @​Uzlopak in #​3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

• Remove patched dom types (v6.x branch) by @​eXhumer in #​3531
• docs(Backport v6.x): Fix signature of RetryHandler by @​github-actions in #​3594
• deps(dev): update @​types/node by @​metcoder95 in #​3618
• fix: throw on retry when payload is consume by downstream by @​github-actions in #​3596
• feat(Backport v6.x): move throwOnError to interceptor by @​github-actions in #​3595
• [Backport v6.x] fix: reduce memory usage in client-h1 by @​github-actions in #​3672
• [Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​github-actions in #​3673
• [Backport v6.x] fix: run asserts first if possible by @​github-actions in #​3674
• [Backport v6.x] fix: use fasttimers for all connection timeouts by @​github-actions in #​3675
• [Backport v6.x] ci: less flaky test/request-timeout.js test by @​github-actions in #​3678
• [Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​github-actions in #​3679
• [Backport v6.x] ignore leading and trailing crlfs in formdata body by @​github-actions in #​3681
• [Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​github-actions in #​3689
• [Backport v6.x] handle body errors by @​Uzlopak in #​3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.