Skip to content

LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13

Open
dheeren-gaud wants to merge 1 commit into
mainfrom
LTS-4005-undici-cve-bump
Open

LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13
dheeren-gaud wants to merge 1 commit into
mainfrom
LTS-4005-undici-cve-bump

Conversation

@dheeren-gaud

Copy link
Copy Markdown
Contributor

Summary

  • Patches CVE GHSA-vmh5-mc38-953g (CVSS 7.4) — undici's ProxyAgent silently drops requestTls options under SOCKS5, enabling MITM when cert pinning is in use.
  • Raises the existing cheerio.undici override floor from ^7.24.0 to ^7.28.0 in package.json.
  • After regenerating the lock, undici under cheerio resolves to 7.28.0 (patched).
  • webdriver's nested undici (6.x) is not affected — SOCKS5 support was added in undici 7.23.0, so all 6.x versions are immune.

Why a package.json change (vs lock-only)

Unlike sister ticket LTS-4006, this repo has an overrides block that explicitly pinned undici to a narrower range than cheerio itself declares. Updating the lock alone wouldn't suffice — npm respects the override boundary. Raising the floor to ^7.28.0 documents the security intent: anything below this is CVE-vulnerable.

Exposure

Low in practice — this is example/sample code for customers. It doesn't run undici's ProxyAgent with SOCKS5 + custom CA pinning. Patching to satisfy the security SLA.

Jira: https://browserstack.atlassian.net/browse/LTS-4005

Test plan

  • npm ls undici shows cheerio -> undici@7.28.0 and webdriver -> undici@6.27.0
  • npm install from a clean state regenerates the same lock
  • Existing wdio tests still run (if applicable)
  • CI green

🤖 Generated with Claude Code

)

Patches SOCKS5 ProxyAgent TLS bypass (CVSS 7.4). The repo's existing
overrides block pinned cheerio's undici to ^7.24.0, narrower than
cheerio's own ^7.19.0 range. Raising the override floor to ^7.28.0
forces npm to pick the patched version while keeping intent documented.

webdriver's nested undici stays on 6.x (not affected by the CVE;
SOCKS5 support was introduced in undici 7.23.0).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dheeren-gaud dheeren-gaud requested a review from a team as a code owner June 24, 2026 09:35
@dheeren-gaud dheeren-gaud requested a review from Ankit098 June 24, 2026 09:35
@dheeren-gaud dheeren-gaud requested a review from Ritik-soh July 2, 2026 10:30
@Ritik-soh

Copy link
Copy Markdown

Claude Code Review — LTS-4005 undici CVE bump

Verdict: PASS — correct, complete for the stated CVE, safe to merge.

Correctness — verified against the advisory

Targets GHSA-vmh5-mc38-953g / CVE-2026-9697 — ProxyAgent silently drops requestTls on SOCKS5 URIs, so ca/cert/rejectUnauthorized/servername are ignored (TLS cert-validation bypass, MITM risk).

  • Affected: 7.23.07.27.x and 8.0.08.4.x. Patched: 7.28.0, 8.5.0.
  • Previous cheerio undici 7.24.4 was in the affected range → bumping overrides.cheerio.undici to ^7.28.0 (resolved to exactly 7.28.0) clears it. ✓ Right target version.

The v6 instance is correctly left alone

The lockfile carries two undici copies:

  • node_modules/undici (cheerio) → 7.28.0
  • node_modules/webdriver/node_modules/undici floated 6.24.16.27.0; overrides.webdriver.undici left at ^6.24.0.

Leaving v6 alone is correct, not an oversight: the SOCKS5/requestTls bug was introduced in 7.23.0 when SOCKS5 support was added — the advisory explicitly does not affect 6.x. Worth calling out in the PR description so a reviewer doesn't also bump it.

Findings

[Low] Lockfile regeneration churn beyond the stated change. The diff adds/removes many "peer": true flags and introduces two new dev entries (bare-events@2.9.1, devtools-protocol@0.0.1648812), plus floats webdriver's undici to 6.27.0. These are side effects of re-running npm install (likely on a newer npm), not part of the CVE fix. Not blocking — just confirm the lockfile came from a clean npm install on the project's pinned npm version rather than a hand-edit.

[Low / informational] Other 2026 undici advisories exist (e.g. CVE-2026-12151, WebSocket-fragment DoS). 7.28.0 is scoped correctly to LTS-4005's SOCKS5 CVE; a follow-up sweep for the others is worth a separate ticket.

[Info] Real-world exposure here is minimal. undici is dev: true (transitive under cheerio via the wdio toolchain) in a sample/demo repo, and the attack needs a SOCKS5 ProxyAgent with requestTls cert-pinning — which a demo project won't configure. The bump is legitimate scanner-hygiene rather than a live risk fix.

Bottom line

Correct fix, correct version, sound scoping. Only nits are lockfile-hygiene confirmation. Safe to merge.

🤖 Reviewed with Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants