SCA: security update for undici (GHSA-vmh5-mc38-953g)

high Tenable Cloud Security Plugin ID 443469

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI
(socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's
default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.
Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is
SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-
trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and
tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or
Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was
introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0.
Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope
restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy
ProxyAgent instead, where requestTls is honored correctly. (CVE-2026-9697)

Solution

Update the undici library and its related packages to version 7.28.0 or later.

See Also

https://github.com/advisories/GHSA-vmh5-mc38-953g

Plugin Details

Severity: High

ID: 443469

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.77

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2026-9697

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/18/2026

Vulnerability Publication Date: 6/17/2026

Reference Information

CVE: CVE-2026-9697

cwe: CWE-295