Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in org.webjars.npm:github-com-nodejs-undici
CVE-2026-1525
- org.webjars.npm:github-com-nodejs-undici
- org.webjars.npm:undici
- undici
Summary
Undici versions prior to 6.24.0 and 7.0.x prior to 7.24.0 allow duplicate HTTPContent-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Impacted applications are applications using "undici.request()", "undici.Client", or similar low-level APIs with headers passed as flat arrays and applications that accept user-controlled header names without case-normalization. Potential consequences are Denial of Service(DoS)where Strict HTTP parsers (proxies, servers) will reject requests with duplicateContent-Lengthheaders (400 Bad Request) and HTTP Request Smuggling where in deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-444 - HTTP Request Smuggling
Entities such as web servers, web caching proxies, and application firewalls could parse HTTP requests differently. When there are two or more such entities in the path of an HTTP request, an attacker can send a specially crafted HTTP request that is seen as two different sets of requests by the attacked devices, allowing the attacker to smuggle a request into one device without the other device being aware of it. Such a vulnerability can prove devastating, for it enables further attacks on the application, like web cache poisoning, session hijacking, cross-site scripting, security bypassing, and sensitive information exposure.
Advisory Timeline
- Published
