Skip to content

fix(#868k5bbdr): Fix CVEs#3

Merged
vavsab merged 1 commit into
masterfrom
fix-cves
Jul 7, 2026
Merged

fix(#868k5bbdr): Fix CVEs#3
vavsab merged 1 commit into
masterfrom
fix-cves

Conversation

@vavsab

@vavsab vavsab commented Jul 7, 2026

Copy link
Copy Markdown

Fixed:

  • CVE-2026-12151 (high) — undici WebSocket DoS via fragment count bypass
  • CVE-2026-9679 (medium) — undici HTTP header injection via Set-Cookie percent-decoding
  • CVE-2026-6733 (low) — undici HTTP response queue poisoning via keep-alive reuse
  • CVE-2026-11525 (low) — undici Set-Cookie SameSite attribute downgrade

All fixed by bumping undici to 6.27.0 in the lockfile (@actions/core@actions/http-clientundici). No permanent override needed — the lockfile holds the safe version without it.

🤖 Generated with Claude Code

@vavsab vavsab merged commit f6d54cb into master Jul 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants