更新: 103 个文件 - 2026-03-18 19:24:37

07-framework-security/frameworks/undici/INDEX.md

@@ -5,14 +5,14 @@
 - 系统 ID: `undici`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
-- 总案例数: `0`
-- 近 30 天新增/更新: `0`
-- 重点 Markdown 案例数: `0`
-- 已实证(真实版本): `0`
+- 总案例数: `16`
+- 近 30 天新增/更新: `7`
+- 重点 Markdown 案例数: `15`
+- 已实证(真实版本): `7`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
-- 待人工/缺浏览器证据: `0`
-- 最近渲染时间: `2026-03-18T21:18:14+00:00`
+- 待人工/缺浏览器证据: `9`
+- 最近渲染时间: `2026-03-19T02:23:04+00:00`
 
 ## 目标约束
 
@@ -32,4 +32,19 @@
 
 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T22:58:59.936049Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-1526.md) |
+| Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T22:58:58.908047Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-2229.md) |
+| Undici has CRLF Injection in undici via `upgrade` option | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T22:58:58.996775Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-1527.md) |
+| Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T23:58:57.714731Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-2581.md) |
+| Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T22:58:59.863318Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-1528.md) |
+| Undici has an HTTP Request/Response Smuggling issue | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-18T22:58:59.626657Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2026-1525.md) |
+| CVE-2026-21636 | `critical` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-01-30T20:20:56.843` | - |
+| Undici vulnerable to data leak when using response.arrayBuffer() | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-07-09T13:57:47.271493Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2024-38372.md) |
+| Undici proxy-authorization header not cleared on cross-origin redirect in fetch | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-05-02T13:15:07Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2024-24758.md) |
+| fetch(url) leads to a memory leak in undici | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-04-19T09:30:47Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2024-24750.md) |
+| CRLF Injection in Nodejs ‘undici’ via host | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-12-16T15:26:50.318903Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2023-23936.md) |
+| Regular Expression Denial of Service in Headers | `high` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:11:48.635999Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2023-24807.md) |
+| Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:09:53.836338Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2022-35948.md) |
+| `undici.request` vulnerable to SSRF using absolute URL on `pathname` | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:09:53.898548Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2022-35949.md) |
+| undici before v5.8.0 vulnerable to CRLF injection in request headers | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:09:27.728154Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2022-31150.md) |
+| ProxyAgent vulnerable to MITM | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-13T22:15:23.541247Z` | [link](/Users/x/websafe/07-framework-security/frameworks/undici/cases/undici-cve-2022-32210.md) |

07-framework-security/frameworks/undici/cases/undici-cve-2026-1525.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:07:03Z"
-updated_date: "2026-03-14T09:19:54.772219Z"
-severity: "medium"
+updated_date: "2026-03-18T22:58:59.626657Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -50,7 +50,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-
 
 - Canonical ID: `undici--CVE-2026-1525`
 - 系统: `undici`
-- 严重度: `medium`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
 - 影响版本: `introduced=0, fixed<6.24.0, introduced=7.0.0, fixed<7.24.0`
@@ -58,9 +58,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-1525
 - https://hackerone.com/reports/3556037
+- https://cna.openjsf.org/security-advisories.html
 - https://cwe.mitre.org/data/definitions/444.html
 - https://github.com/nodejs/undici
 - https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6

07-framework-security/frameworks/undici/cases/undici-cve-2026-1526.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:41:56Z"
-updated_date: "2026-03-13T20:54:25.563997Z"
-severity: "high"
+updated_date: "2026-03-18T22:58:59.936049Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -50,7 +50,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-
 
 - Canonical ID: `undici--CVE-2026-1526`
 - 系统: `undici`
-- 严重度: `high`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
 - 影响版本: `introduced=0, fixed<6.24.0, introduced=7.0.0, fixed<7.24.0`
@@ -58,9 +58,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-1526
 - https://hackerone.com/reports/3481206
+- https://cna.openjsf.org/security-advisories.html
 - https://datatracker.ietf.org/doc/html/rfc7692
 - https://github.com/nodejs/undici
 - https://owasp.org/www-community/attacks/Denial_of_Service

07-framework-security/frameworks/undici/cases/undici-cve-2026-1527.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:41:26Z"
-updated_date: "2026-03-13T20:54:25.572106Z"
-severity: "medium"
+updated_date: "2026-03-18T22:58:58.996775Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -49,7 +49,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-4992-
 
 - Canonical ID: `undici--CVE-2026-1527`
 - 系统: `undici`
-- 严重度: `medium`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
 - 影响版本: `introduced=0, fixed<6.24.0, introduced=7.0.0, fixed<7.24.0`
@@ -57,9 +57,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-4992-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-1527
 - https://hackerone.com/reports/3487198
+- https://cna.openjsf.org/security-advisories.html
 - https://github.com/nodejs/undici
 
 ## 实验层

07-framework-security/frameworks/undici/cases/undici-cve-2026-1528.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:07:26Z"
-updated_date: "2026-03-14T09:17:45.838435Z"
-severity: "high"
+updated_date: "2026-03-18T22:58:59.863318Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -49,7 +49,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-f269-
 
 - Canonical ID: `undici--CVE-2026-1528`
 - 系统: `undici`
-- 严重度: `high`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
 - 影响版本: `introduced=6.0.0, fixed<6.24.0, introduced=7.0.0, fixed<7.24.0`
@@ -57,9 +57,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-f269-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-1528
 - https://hackerone.com/reports/3537648
+- https://cna.openjsf.org/security-advisories.html
 - https://github.com/nodejs/undici
 
 ## 实验层

07-framework-security/frameworks/undici/cases/undici-cve-2026-2229.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:41:41Z"
-updated_date: "2026-03-13T20:54:26.149214Z"
-severity: "high"
+updated_date: "2026-03-18T22:58:58.908047Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -50,7 +50,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-
 
 - Canonical ID: `undici--CVE-2026-2229`
 - 系统: `undici`
-- 严重度: `high`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
 - 影响版本: `introduced=0, fixed<6.24.0, introduced=7.0.0, fixed<7.24.0`
@@ -58,9 +58,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-2229
 - https://hackerone.com/reports/3487486
+- https://cna.openjsf.org/security-advisories.html
 - https://datatracker.ietf.org/doc/html/rfc7692
 - https://github.com/nodejs/undici
 - https://nodejs.org/api/zlib.html#class-zlibinflateraw

07-framework-security/frameworks/undici/cases/undici-cve-2026-2581.md

@@ -4,8 +4,8 @@ system_id: "undici"
 category: "frameworks"
 advisory_mode: "core"
 published_date: "2026-03-13T20:37:58Z"
-updated_date: "2026-03-13T20:54:25.417862Z"
-severity: "medium"
+updated_date: "2026-03-18T23:58:57.714731Z"
+severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
 verification_status: "verified-real"
@@ -47,7 +47,7 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-
 
 - Canonical ID: `undici--CVE-2026-2581`
 - 系统: `undici`
-- 严重度: `medium`
+- 严重度: `low`
 - 来源置信度: `official`
 - 官方主源: https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h
 - 影响版本: `introduced=7.17.0, fixed<7.24.0`
@@ -55,9 +55,9 @@ primary_source: "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-
 
 ## 其他来源
 
-- https://cna.openjsf.org/security-advisories.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-2581
 - https://hackerone.com/reports/3513473
+- https://cna.openjsf.org/security-advisories.html
 - https://github.com/nodejs/undici
 
 ## 实验层