CVE-2026-6733

Name of the Vulnerable Software and Affected Versions undici versions prior to 6.26.0 undici versions prior to 7.28.0 undici versions prior to 8.5.0

Description The HTTP/1.1 client is subject to response queue poisoning when keep-alive sockets are reused. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request has finished. Consequently, when the client sends a subsequent request using that same socket, it incorrectly associates the injected response with the new request, leading to responses being delivered to the wrong requests. This issue requires a compromised or attacker-controlled upstream HTTP/1.1 server and the use of keep-alive connection reuse.

Recommendations Upgrade to version 6.26.0. Upgrade to version 7.28.0. Upgrade to version 8.5.0. As a temporary workaround, disable keep-alive connection reuse by setting the keepAliveTimeout variable to 0 on the Client or Pool.