FKIE_CVE-2026-1525

Vulnerability from fkie_nvd - Published: 2026-03-12 20:16 - Updated: 2026-03-19 17:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
References
ce714d77-add3-4f53-aff5-83d477b104bbhttps://cna.openjsf.org/security-advisories.htmlVendor Advisory
ce714d77-add3-4f53-aff5-83d477b104bbhttps://cwe.mitre.org/data/definitions/444.htmlTechnical Description
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxmMitigation, Vendor Advisory
ce714d77-add3-4f53-aff5-83d477b104bbhttps://hackerone.com/reports/3556037Permissions Required
ce714d77-add3-4f53-aff5-83d477b104bbhttps://www.rfc-editor.org/rfc/rfc9110.html#section-8.6Technical Description
Impacted products
Vendor Product Version
nodejs undici *
nodejs undici *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C08CE582-019D-4A06-910A-6010C2D6EF4F",
              "versionEndExcluding": "6.24.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F016E7D9-C45A-4DEF-9AD8-F0581AF5E509",
              "versionEndExcluding": "7.24.0",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Undici allows duplicate HTTP\u00a0Content-Length\u00a0headers when they are provided in an array with case-variant names (e.g.,\u00a0Content-Length\u00a0and\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\u00a0Content-Length\u00a0values on the wire.\n\nWho is impacted:\n\n  *  Applications using\u00a0undici.request(),\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\n  *  Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u00a0Content-Length\u00a0headers (400 Bad Request)\n  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking"
    },
    {
      "lang": "es",
      "value": "Undici permite encabezados HTTP Content-Length duplicados cuando se proporcionan en un array con nombres que var\u00edan en may\u00fasculas/min\u00fasculas (p. ej., Content-Length y content-length). Esto produce solicitudes HTTP/1.1 malformadas con m\u00faltiples valores Content-Length conflictivos en la red.\n\nQui\u00e9nes son los afectados:\n\n  *  Aplicaciones que utilizan undici.request(), undici.Cliente, o APIs de bajo nivel similares con encabezados pasados como arrays planos\n  *  Aplicaciones que aceptan nombres de encabezado controlados por el usuario sin normalizaci\u00f3n de may\u00fasculas/min\u00fasculas\n\nPosibles consecuencias:\n\n  *  Denegaci\u00f3n de Servicio: Analizadores HTTP estrictos (proxies, servidores) rechazar\u00e1n las solicitudes con encabezados Content-Length duplicados (400 Solicitud Incorrecta)\n  *  Contrabando de Solicitudes HTTP: En implementaciones donde un intermediario y un backend interpretan encabezados duplicados de manera inconsistente (p. ej., uno usa el primer valor, el otro usa el \u00faltimo), esto puede habilitar ataques de contrabando de solicitudes que conducen a la omisi\u00f3n de ACL, envenenamiento de cach\u00e9 o secuestro de credenciales"
    }
  ],
  "id": "CVE-2026-1525",
  "lastModified": "2026-03-19T17:29:34.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-12T20:16:02.670",
  "references": [
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Technical Description"
      ],
      "url": "https://cwe.mitre.org/data/definitions/444.html"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://hackerone.com/reports/3556037"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Technical Description"
      ],
      "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
    }
  ],
  "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.