CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool confusion

CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool confusion - High - 2026-06-17

Business risk: A shared SOCKS proxy pool can silently send credentials and request bodies for one customer origin to another origin.

Root cause: The SOCKS connection pool is reused without binding the pool to the requested origin.

Affected versions

  • Vulnerable: undici 7.23.0 through 8.1.0 when one Socks5ProxyAgent or global dispatcher is reused for more than one origin.
  • Fixed / safe target: Upgrade to undici 7.26.0+ or 8.2.0+ and use a separate Socks5ProxyAgent/dispatcher per origin.
  • CVSS: 7.5 (High)

Exact vulnerable code pattern

import { Socks5ProxyAgent, setGlobalDispatcher } from 'undici';

setGlobalDispatcher(new Socks5ProxyAgent('socks://proxy.internal:1080'));
await fetch('https://tenant-a.example/api', { headers: { authorization: tokenA } });
await fetch('https://tenant-b.example/api', { headers: { authorization: tokenB } });

Fixed / mitigated code pattern

import { Socks5ProxyAgent, request } from 'undici';

const dispatchers = new Map();
function dispatcherFor(origin) {
  if (!dispatchers.has(origin)) {
    dispatchers.set(origin, new Socks5ProxyAgent('socks://proxy.internal:1080'));
  }
  return dispatchers.get(origin);
}

const url = new URL('https://tenant-a.example/api');
await request(url, { dispatcher: dispatcherFor(url.origin), headers: { authorization: tokenA } });

Step-by-step integration guide

  1. Upgrade undici in manifests, lockfiles, images, and bundled CLIs.
  2. Replace shared/global Socks5ProxyAgent use with per-origin dispatchers.
  3. Add tests proving two origins do not share the first origin pool.
  4. Rotate credentials that may have crossed origins.
  5. Deploy and monitor proxy logs for unexpected host mismatches.

Alternative mitigations

  • Disable Socks5ProxyAgent for multi-origin traffic.
  • Create one process or dispatcher per destination origin.
  • Strip Authorization/Cookie headers on proxy-routed cross-origin calls until patched.

Detection signature

rg -n "Socks5ProxyAgent|setGlobalDispatcher|undici" package.json package-lock.json pnpm-lock.yaml yarn.lock .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-6734: undici Socks5ProxyAgent cross-origin pool confusion.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-6734 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, undici, nodejs, socks5, proxy, credential-leak, sellable_to_saas, zero_day_gold, high
  • Affected tech stack: javascript/npm
  • Revenue tags: sellable_to_saas, zero_day_gold

References