CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool confusion
CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool confusion - High - 2026-06-17
Business risk: A shared SOCKS proxy pool can silently send credentials and request bodies for one customer origin to another origin.
Root cause: The SOCKS connection pool is reused without binding the pool to the requested origin.
Affected versions
- Vulnerable: undici 7.23.0 through 8.1.0 when one Socks5ProxyAgent or global dispatcher is reused for more than one origin.
- Fixed / safe target: Upgrade to undici 7.26.0+ or 8.2.0+ and use a separate Socks5ProxyAgent/dispatcher per origin.
- CVSS: 7.5 (High)
Exact vulnerable code pattern
import { Socks5ProxyAgent, setGlobalDispatcher } from 'undici';
setGlobalDispatcher(new Socks5ProxyAgent('socks://proxy.internal:1080'));
await fetch('https://tenant-a.example/api', { headers: { authorization: tokenA } });
await fetch('https://tenant-b.example/api', { headers: { authorization: tokenB } });
Fixed / mitigated code pattern
import { Socks5ProxyAgent, request } from 'undici';
const dispatchers = new Map();
function dispatcherFor(origin) {
if (!dispatchers.has(origin)) {
dispatchers.set(origin, new Socks5ProxyAgent('socks://proxy.internal:1080'));
}
return dispatchers.get(origin);
}
const url = new URL('https://tenant-a.example/api');
await request(url, { dispatcher: dispatcherFor(url.origin), headers: { authorization: tokenA } });
Step-by-step integration guide
- Upgrade undici in manifests, lockfiles, images, and bundled CLIs.
- Replace shared/global Socks5ProxyAgent use with per-origin dispatchers.
- Add tests proving two origins do not share the first origin pool.
- Rotate credentials that may have crossed origins.
- Deploy and monitor proxy logs for unexpected host mismatches.
Alternative mitigations
- Disable Socks5ProxyAgent for multi-origin traffic.
- Create one process or dispatcher per destination origin.
- Strip Authorization/Cookie headers on proxy-routed cross-origin calls until patched.
Detection signature
rg -n "Socks5ProxyAgent|setGlobalDispatcher|undici" package.json package-lock.json pnpm-lock.yaml yarn.lock .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-6734: undici Socks5ProxyAgent cross-origin pool confusion.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-6734 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, undici, nodejs, socks5, proxy, credential-leak, sellable_to_saas, zero_day_gold, high
- Affected tech stack: javascript/npm
- Revenue tags: sellable_to_saas, zero_day_gold