Hi Xavier, On Mon, Apr 06, 2026 at 12:38:57PM +0200, Xavier wrote: > Hi, > > CVE-2025-23167 affects llhttp library. Starting from node-undici > 7.15.0+dfsg+~cs3.2.0-1, llhttp has been removed from node-undici and is > built as separated package. Therefor this CVE doesn't affect node-undici on > trixie, forky and sid. > > The llhttp package isn't affected (already mentionned insecurity tracker)
Thanks, I have updated the tracking and added as well an item on llhttp and node-undici in the embedded-code-copies file. Regards, Salvatore
