CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool reuse

CVE-2026-6734 + undici Socks5ProxyAgent cross-origin pool reuse + High + 2026-06-17

One-sentence business risk

Proxy-routed services can leak credentials or trust responses across origins, breaking tenant and service boundaries.

Research notes

  • Root cause: Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool’s origin matches the requested origin.
  • Affected versions: undici 7.23.0 through 8.1.0 when Socks5ProxyAgent is reused across origins.
  • Fixed / safe versions: undici 7.26.0 or 8.2.0.
  • Public exploit / PoC signal: public PoC or exploit details are referenced by NVD; use only safe regression tests and do not execute exploit payloads against production.
  • CVSS: 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Exact vulnerable code pattern

setGlobalDispatcher(new Socks5ProxyAgent(proxyUrl));
await fetch("https://tenant-a.example/api");
await fetch("https://tenant-b.example/api"); // may reuse pool for origin A

Fixed / mitigated code pattern

const agents = new Map();
function dispatcherFor(origin) {
  if (!agents.has(origin)) agents.set(origin, new Socks5ProxyAgent(proxyUrl, { origin }));
  return agents.get(origin);
}
await fetch(url, { dispatcher: dispatcherFor(new URL(url).origin) });

Dependency or runtime update:

npm ls undici
npm install undici@^8.2.0 --save-exact
npm test

Step-by-step integration guide

  1. Inventory undici in source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes.
  2. Upgrade or patch to undici 7.26.0 or 8.2.0; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up.
  3. Replace every vulnerable proxy-routing pattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting.
  4. Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
  5. Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.

Alternative mitigations

  • Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
  • Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
  • Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
  • Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.

Detection signature

id: cve-2026-6734-undici-socks5proxyagent-cross-origin-pool-reuse
source: NVD
package_or_product: "undici"
affected: "undici 7.23.0 through 8.1.0 when Socks5ProxyAgent is reused across origins"
fixed: "undici 7.26.0 or 8.2.0"
cvss: "7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
signals:
  - "proxy-routing"
  - "CVE-2026-6734"
  - "undici"
action: "upgrade, add a regression test, and verify deploy artifact"

Copy-paste skill

You are remediating CVE-2026-6734 (undici Socks5ProxyAgent cross-origin pool reuse) in this repository.

Produce a reviewer-ready PR or TRIAGE.md. Inventory undici across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply undici 7.26.0 or 8.2.0. Replace the vulnerable proxy-routing pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.

Keywords, affected tech stack, and revenue tags

  • Keywords: CVE-2026-6734, proxy-routing, undici, NVD.
  • Affected tech stack: javascript/npm.
  • Revenue tags: sellable_to_fintech, enterprise_blocker, high_priority_sla.

References