Low severity vulnerability CVE-2026-22036 in `undici` <6.23.0 for multiple toolkit @actions/*

[MikeMcC399]

Situation

npm audit and Dependabot report CVE-2026-22036 (Low severity) in the transient dependency undici (GHSA-g9mf-h72j-4rw9)

This affects @actions/cache@5.0.2 (current latest).

Edit:
The following packages directly specify undici < 6.23.0 and need updating:

Package	Version	undici version
@actions/attest	2.2.0	^6.20.0
@actions/github	8.0.0	^5.28.5
@actions/http-client	3.0.1	^5.28.5

Other packages which depend on the above packages would then also need updating.

Steps to reproduce

cd $(mktemp -d)
npm install @actions/cache
npm audit

Logs

With all packages installed:

$ npm audit
# npm audit report

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/http-client@2.1.1, which is a breaking change
node_modules/undici
  @actions/github  >=6.0.0
  Depends on vulnerable versions of @actions/http-client
  Depends on vulnerable versions of undici
  node_modules/@actions/artifact/node_modules/@actions/github
  node_modules/@actions/attest/node_modules/@actions/github
  node_modules/@actions/github
    @actions/artifact  >=4.0.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/github
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/artifact
    @actions/attest  >=1.1.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/github
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/attest
  @actions/http-client  >=2.2.0
  Depends on vulnerable versions of undici
  node_modules/@actions/artifact/node_modules/@actions/github/node_modules/@actions/http-client
  node_modules/@actions/glob/node_modules/@actions/http-client
  node_modules/@actions/http-client
    @actions/cache  >=5.0.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/cache
    @actions/core  >=2.0.0
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/core
    @actions/tool-cache  >=3.0.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/tool-cache

8 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Related

• @actions/glob@0.5.0 (dependency of @actions/cache) missing Node.js 24 update #2217

[MikeMcC399]

• Apart from the proposed PR fix(deps): upgrade undici dependency to v6.23.0 #2241 the whole hierarchy of @actions/* toolkit versions needs to be reviewed and updated.

[fabasoad]

@Link- @salmanmkc Hi folks! Sorry for the direct ping, but would it be possible to give this repository more attention, at least regarding SCA issues? There are over 170 open pull requests, many of which involve updating dependencies to non-vulnerable or simply the latest stable versions. It seems that reviewing all dependencies, updating them, running tests, and verifying that everything works could resolve a significant portion of the open PRs. What do you think?

[MikeMcC399]

Is there any maintainer available to address this?

It's also showing up in https://github.com/semantic-release/semantic-release as an unresolvable vulnerability.

$ npm audit
# npm audit report

undici  <6.23.0
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/core@1.11.1, which is a breaking change
node_modules/undici
  @actions/http-client  >=2.2.0
  Depends on vulnerable versions of undici
  node_modules/@actions/http-client
    @actions/core  >=2.0.0
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/core

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[schneidergithub]

It's crazy to me how popular and largely distributed this toolkit is, and the state it's in (issues & pr maintenance needed)

[gitme1-ym]

Situation

npm audit and Dependabot report CVE-2026-22036 (Low severity) in the transient dependency undici (GHSA-g9mf-h72j-4rw9)

This affects @actions/cache@5.0.2 (current latest).

Steps to reproduce

cd $(mktemp -d)
npm install @actions/cache
npm audit

Logs

$ npm audit
# npm audit report

undici  <6.23.0
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/cache@4.1.0, which is a breaking change
node_modules/undici
  @actions/http-client  >=2.2.0
  Depends on vulnerable versions of undici
  node_modules/@actions/glob/node_modules/@actions/http-client
  node_modules/@actions/http-client
    @actions/cache  >=5.0.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/cache
    @actions/core  >=2.0.0
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/core

4 low severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

$ npm ls undici
tmp.DnFp4ZKpWi@ /tmp/tmp.DnFp4ZKpWi
└─┬ @actions/cache@5.0.2
  ├─┬ @actions/glob@0.5.0
  │ └─┬ @actions/core@1.11.1
  │   └─┬ @actions/http-client@2.2.3
  │     └── undici@5.29.0 deduped
  └─┬ @actions/http-client@3.0.1
    └── undici@5.29.0

Related

• @actions/glob@0.5.0 (dependency of @actions/cache) missing Node.js 24 update #2217

90595a9

[gitme1-ym]

cd $(mktemp -d)
npm install @actions/cache
npm audit

[roggervalf]

I faced this vulnerability when using semantic-release as well, that's why I wanted to contribute on fixing it. For anyone else facing the same issue. As a workaround I used resolutions:

"resolutions": {
    "undici": "7.19.0"
  },

Once a fix is released that workaround should not be needed anymore

[schneidergithub]

It looks like this repo changed its policy for reporting issues.

[MikeMcC399]

@schneidergithub

You're right. That section was added by 12e323a in June 2025.

There have been many updates this month from GitHub staff, such as @TingluoHuang, @salmanmkc, @GhadimiR or from Microsoft @lokesh755 so perhaps someone from this team would be able to address the undici issue which runs through more or less the whole repo.

[Link-]

Investigating