CVE-2026-1525

EPSS 0.02%
Veröffentlicht 12.03.2026 19:56:55
Zuletzt bearbeitet 19.03.2026 17:29:34
Quelle ce714d77-add3-4f53-aff5-83d477
CVE-Watchlists
Login
Unerledigt
Login

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  *  Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  *  Applications that accept user-controlled header names without case-normalization


Potential consequences:

  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Undici SwPlatformnode.js Version < 6.24.0

Nodejs ≫ Undici SwPlatformnode.js Version >= 7.0.0 < 7.24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.037

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ce714d77-add3-4f53-aff5-83d477b104bb	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://cwe.mitre.org/data/definitions/444.html

Technical Description

https://cna.openjsf.org/security-advisories.html

Vendor Advisory

https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm

Vendor Advisory

Mitigation

https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6

Technical Description

https://hackerone.com/reports/3556037

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2026-1525