CVE-2026-1525

Name of the Vulnerable Software and Affected Versions Undici versions prior to 7.24.0 and prior to 6.24.0

Description Undici is susceptible to inconsistent interpretation of HTTP requests, specifically HTTP Request/Response Smuggling. The issue arises when duplicate HTTP Content-Length headers are provided in an array format, using case-variant names (e.g., Content-Length and content-length). This results in malformed HTTP/1.1 requests containing conflicting Content-Length values. Applications utilizing undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays are impacted, as are applications that accept user-controlled header names without case-normalization. Potential consequences include Denial of Service, where strict HTTP parsers reject requests with duplicate headers, and HTTP Request Smuggling, which can lead to ACL bypass, cache poisoning, or credential hijacking in deployments with inconsistent header interpretation between intermediaries and backends.

Recommendations Versions prior to 7.24.0 should be upgraded to version 7.24.0 or later. Versions prior to 6.24.0 should be upgraded to version 6.24.0 or later. If upgrading is not immediately possible, validate header names to ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici. If upgrading is not immediately possible, use an object format (e.g., { 'content-length': '123' }) to pass headers, which naturally deduplicates by key. If upgrading is not immediately possible, sanitize user input by normalizing header names to lowercase and rejecting duplicates.