Skip to content

Commit d5fa46b

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-2mjp-6q6p-2qxm GHSA-f269-vfmq-vjvj
1 parent 020382a commit d5fa46b

2 files changed

Lines changed: 185 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-2mjp-6q6p-2qxm/GHSA-2mjp-6q6p-2qxm.json

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2mjp-6q6p-2qxm",
4+
"modified": "2026-03-13T20:07:03Z",
5+
"published": "2026-03-13T20:07:03Z",
6+
"aliases": [
7+
"CVE-2026-1525"
8+
],
9+
"summary": "Undici has an HTTP Request/Response Smuggling issue",
10+
"details": "### Impact\n\nUndici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP/1.1 requests with multiple conflicting `Content-Length` values on the wire.\n\n**Who is impacted:**\n - Applications using `undici.request()`, `undici.Client`, or similar low-level APIs with headers passed as flat arrays\n - Applications that accept user-controlled header names without case-normalization\n\n**Potential consequences:**\n - **Denial of Service**: Strict HTTP parsers (proxies, servers) will reject requests with duplicate `Content-Length` headers (400 Bad Request)\n - **HTTP Request Smuggling**: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\n If upgrading is not immediately possible:\n\n 1. **Validate header names**: Ensure no duplicate `Content-Length` headers (case-insensitive) are present before passing headers to undici\n 2. **Use object format**: Pass headers as a plain object (`{ 'content-length': '123' }`) rather than an array, which naturally deduplicates by key\n 3. **Sanitize user input**: If headers originate from user input, normalize header names to lowercase and reject duplicates",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "undici"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "6.24.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "undici"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "7.0.0"
48+
},
49+
{
50+
"fixed": "7.24.0"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://hackerone.com/reports/3556037"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://cna.openjsf.org/security-advisories.html"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://cwe.mitre.org/data/definitions/444.html"
77+
},
78+
{
79+
"type": "PACKAGE",
80+
"url": "https://github.com/nodejs/undici"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
85+
}
86+
],
87+
"database_specific": {
88+
"cwe_ids": [
89+
"CWE-444"
90+
],
91+
"severity": "MODERATE",
92+
"github_reviewed": true,
93+
"github_reviewed_at": "2026-03-13T20:07:03Z",
94+
"nvd_published_at": "2026-03-12T20:16:02Z"
95+
}
96+
}

advisories/github-reviewed/2026/03/GHSA-f269-vfmq-vjvj/GHSA-f269-vfmq-vjvj.json

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f269-vfmq-vjvj",
4+
"modified": "2026-03-13T20:07:26Z",
5+
"published": "2026-03-13T20:07:26Z",
6+
"aliases": [
7+
"CVE-2026-1528"
8+
],
9+
"summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
10+
"details": "### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "undici"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0.0"
29+
},
30+
{
31+
"fixed": "6.24.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "undici"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "7.0.0"
48+
},
49+
{
50+
"fixed": "7.24.0"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://hackerone.com/reports/3537648"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://cna.openjsf.org/security-advisories.html"
73+
},
74+
{
75+
"type": "PACKAGE",
76+
"url": "https://github.com/nodejs/undici"
77+
}
78+
],
79+
"database_specific": {
80+
"cwe_ids": [
81+
"CWE-1284",
82+
"CWE-248"
83+
],
84+
"severity": "HIGH",
85+
"github_reviewed": true,
86+
"github_reviewed_at": "2026-03-13T20:07:26Z",
87+
"nvd_published_at": "2026-03-12T21:16:25Z"
88+
}
89+
}

0 commit comments

Comments
 (0)