CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cna.openjsf.org/security-advisories.html	Vendor Advisory
https://cwe.mitre.org/data/definitions/444.html	Technical Description
https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm	Mitigation Vendor Advisory
https://hackerone.com/reports/3556037	Permissions Required
https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6	Technical Description

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:undici::::::node.js::*
	cpe:2.3:a:nodejs:undici::::::node.js::*

History

No history.

Information

Published : 2026-03-12 20:16

Updated : 2026-03-19 17:29

NVD link : CVE-2026-1525

Mitre link : CVE-2026-1525

CVE.ORG link : CVE-2026-1525

JSON object : View

Products Affected

nodejs

undici

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2026-1525", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-12T20:16:02.670", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://cwe.mitre.org/data/definitions/444.html", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm", "tags": ["Mitigation", "Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://hackerone.com/reports/3556037", "tags": ["Permissions Required"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "Undici allows duplicate HTTP\u00a0Content-Length\u00a0headers when they are provided in an array with case-variant names (e.g.,\u00a0Content-Length\u00a0and\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\u00a0Content-Length\u00a0values on the wire.\n\nWho is impacted:\n\n * Applications using\u00a0undici.request(),\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\n * Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u00a0Content-Length\u00a0headers (400 Bad Request)\n * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking"}, {"lang": "es", "value": "Undici permite encabezados HTTP Content-Length duplicados cuando se proporcionan en un array con nombres que var\u00edan en may\u00fasculas/min\u00fasculas (p. ej., Content-Length y content-length). Esto produce solicitudes HTTP/1.1 malformadas con m\u00faltiples valores Content-Length conflictivos en la red.\n\nQui\u00e9nes son los afectados:\n\n * Aplicaciones que utilizan undici.request(), undici.Cliente, o APIs de bajo nivel similares con encabezados pasados como arrays planos\n * Aplicaciones que aceptan nombres de encabezado controlados por el usuario sin normalizaci\u00f3n de may\u00fasculas/min\u00fasculas\n\nPosibles consecuencias:\n\n * Denegaci\u00f3n de Servicio: Analizadores HTTP estrictos (proxies, servidores) rechazar\u00e1n las solicitudes con encabezados Content-Length duplicados (400 Solicitud Incorrecta)\n * Contrabando de Solicitudes HTTP: En implementaciones donde un intermediario y un backend interpretan encabezados duplicados de manera inconsistente (p. ej., uno usa el primer valor, el otro usa el \u00faltimo), esto puede habilitar ataques de contrabando de solicitudes que conducen a la omisi\u00f3n de ACL, envenenamiento de cach\u00e9 o secuestro de credenciales"}], "lastModified": "2026-03-19T17:29:34.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C08CE582-019D-4A06-910A-6010C2D6EF4F", "versionEndExcluding": "6.24.0"}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F016E7D9-C45A-4DEF-9AD8-F0581AF5E509", "versionEndExcluding": "7.24.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}