CVE-2026-1525

March 12, 2026, 9:07 p.m.

6.5
Medium

Description

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Product(s) Impacted

Vendor Product Versions
Undici
  • Undici
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a undici undici / / / / / / / /

References

https://cna.openjsf.org/security-advisories.html
https://cwe.mitre.org/data/definitions/444.html
https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
https://hackerone.com/reports/3556037
https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6

Tags

CWE-444
ce714d77-add3-4f53-aff5-83d477b104bb
2026-03-12
CVE-2026-1525

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

    View Vector String

Timeline

Published: March 12, 2026, 8:16 p.m.
Last Modified: March 12, 2026, 9:07 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ce714d77-add3-4f53-aff5-83d477b104bb

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.