Skip to content

LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13

Open
dheeren-gaud wants to merge 1 commit into
mainfrom
LTS-4005-undici-cve-bump
Open

LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13
dheeren-gaud wants to merge 1 commit into
mainfrom
LTS-4005-undici-cve-bump

Conversation

@dheeren-gaud

@dheeren-gaud dheeren-gaud commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Patches CVE GHSA-vmh5-mc38-953g (CVSS 7.4) — undici's ProxyAgent silently drops requestTls options under SOCKS5, enabling MITM when cert pinning is in use.
  • Raises the existing cheerio.undici override floor from ^7.24.0 to ^7.28.0 in package.json.
  • After regenerating the lock, undici under cheerio resolves to 7.28.0 (patched).
  • webdriver's nested undici (6.x) is not affected — SOCKS5 support was added in undici 7.23.0, so all 6.x versions are immune.

Why a package.json change (vs lock-only)

Unlike sister ticket LTS-4006, this repo has an overrides block that explicitly pinned undici to a narrower range than cheerio itself declares. Updating the lock alone wouldn't suffice — npm respects the override boundary. Raising the floor to ^7.28.0 documents the security intent: anything below this is CVE-vulnerable.

Exposure

Low in practice — this is example/sample code for customers. It doesn't run undici's ProxyAgent with SOCKS5 + custom CA pinning. Patching to satisfy the security SLA.

Jira: https://browserstack.atlassian.net/browse/LTS-4005

Test plan

  • npm ls undici shows cheerio -> undici@7.28.0 and webdriver -> undici@6.27.0
  • npm install from a clean state regenerates the same lock
  • Existing wdio tests still run (if applicable)
  • CI green

🤖 Generated with Claude Code

@dheeren-gaud @claude
LTS-4005: bump undici override 7.24.0 -> 7.28.0 (CVE GHSA-vmh5-mc38-953g
ccd9add 
)

Patches SOCKS5 ProxyAgent TLS bypass (CVSS 7.4). The repo's existing
overrides block pinned cheerio's undici to ^7.24.0, narrower than
cheerio's own ^7.19.0 range. Raising the override floor to ^7.28.0
forces npm to pick the patched version while keeping intent documented.

webdriver's nested undici stays on 6.x (not affected by the CVE;
SOCKS5 support was introduced in undici 7.23.0).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dheeren-gaud dheeren-gaud requested a review from a team as a code owner June 24, 2026 09:35
@dheeren-gaud dheeren-gaud requested a review from Ankit098 June 24, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ankit098 Ankit098 Awaiting requested review from Ankit098 Ankit098 is a code owner automatically assigned from browserstack/load-testing-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dheeren-gaud