CVE-2026-9679

Name of the Vulnerable Software and Affected Versions undici versions 6.x prior to 6.26.0 undici versions 7.0.0 through 7.27.x undici versions 8.x prior to 8.5.0

Description The cookie parser in the parseSetCookie function percent-decodes cookie values using qsUnescape, which converts encoded sequences such as %0D%0A, %00, %3B, and %3D into literal byte equivalents. This behavior deviates from RFC 6265 §5.4 and browser standards, which do not specify such decoding. Applications that use parseSetCookie, parseCookie, or getSetCookies and subsequently forward these parsed values into response headers (such as proxies, middleware, or SSR frameworks) are susceptible to HTTP response header injection. This allows an attacker-controlled upstream source to inject arbitrary Set-Cookie, Location, or Cache-Control headers into the downstream response, potentially leading to session fixation, open redirect, or cache poisoning.

Recommendations Upgrade to version 6.26.0 for versions in the 6.x branch. Upgrade to version 7.28.0 for versions in the 7.x branch. Upgrade to version 8.5.0 for versions in the 8.x branch. As a temporary workaround, sanitize values returned by parseSetCookie(), parseCookie(), or getSetCookies() to strip or reject CR, LF, NUL, ;, and = bytes before forwarding them into response headers.