CVE-2026-11525

Name of the Vulnerable Software and Affected Versions undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x

Description When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a substring instead of requiring a case-insensitive exact match as specified by RFC 6265. This allows non-spec values to be silently mapped to standard tokens; for instance, SameSite=NoneOfYourBusiness is parsed as None, and SameSite=StrictLax is parsed as Lax. Applications that consume Set-Cookie headers via fetch or proxy code paths and rely on the parsed sameSite attribute can be coerced by a malicious or non-compliant server into applying a weaker SameSite policy, degrading the intended cookie enforcement.

Recommendations Upgrade to version 6.26.0. Upgrade to version 7.28.0. Upgrade to version 8.5.0. As a temporary workaround, validate that the resulting sameSite attribute is exactly 'Strict', 'Lax', or 'None' (case-insensitive) after parsing a Set-Cookie header and before relying on it.