Attack Chain

1. An application initializes and configures undici to use a Socks5ProxyAgent for outgoing network requests, either globally via setGlobalDispatcher or locally.
2. The application makes its first request to an origin_A (e.g., malicious-domain.com) through the configured Socks5ProxyAgent.
3. undici establishes a connection pool to origin_A via the SOCKS5 proxy, associating this pool with the first requested origin.
4. Subsequently, the application attempts to make a request to a legitimate origin_B (e.g., secure-service.com) using the same Socks5ProxyAgent instance.
5. Due to the vulnerability, undici reuses the existing connection pool (which was established for origin_A) for the request to origin_B, without validating the target origin.
6. As a result, sensitive request data, including credentials, intended for origin_B is misdirected and sent to origin_A through the established SOCKS5 proxy connection.
7. The application may then receive and trust responses from origin_A, mistakenly believing they originated from origin_B, leading to data corruption or further compromise.
8. Furthermore, if origin_A supports HTTP and the connection was established as such, HTTPS requests intended for origin_B can be silently downgraded to HTTP, compromising encryption and integrity.

Impact

The primary impact of this vulnerability is the unintended exposure of sensitive data and potential compromise of application integrity. Applications that utilize Socks5ProxyAgent and interact with multiple origins are at risk. Credentials and request bodies intended for one origin can be misdirected to another, allowing an attacker to intercept or manipulate data. This can lead to unauthorized access, data breaches, and service disruption. Additionally, the silent downgrade of HTTPS requests to HTTP strips away crucial transport layer security, making communications vulnerable to eavesdropping and tampering. There is no specific victim count or sector information available, but any Node.js application using vulnerable versions of undici in the described configuration is affected.

Recommendation

• Immediately upgrade npm/undici to version v7.28.0 or v8.2.0 or later to apply the official patches for CVE-2026-6734.
• If immediate upgrade is not possible, implement the recommended workarounds by using a separate Socks5ProxyAgent instance per origin for undici or avoid using Socks5ProxyAgent with multiple origins.
• Deploy the provided Sigma rules to detect anomalous network traffic from node.exe processes that might indicate misrouted requests, specifically observing for connections to private IP ranges or unexpected HTTP traffic to external hosts.
• Enable comprehensive network connection logging for node.exe processes on all affected operating systems to improve visibility into potential exploitation attempts.