CVE-2026-1527

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.24.0 and prior to 6.24.0

Description The issue arises when an application passes user-controlled input to the upgrade option of the client.request() function. This allows an attacker to inject CRLF (Carriage Return Line Feed) sequences (r ) to inject arbitrary HTTP headers or prematurely terminate HTTP requests, potentially smuggling raw data to non-HTTP services like Redis, Memcached, and Elasticsearch. The root cause is that undici writes the upgrade value directly to the socket without validating for invalid header characters. The vulnerable code is located in lib/dispatcher/client-h1.js at line 1121.

Recommendations Upgrade to undici version 7.24.0 or later. Upgrade to undici version 6.24.0 or later. Sanitize the upgrade option string before passing it to undici to prevent the injection of CRLF sequences. For example, use a function to check for and reject values containing r or .