CVE-2026-11525
published 2026-06-17CVE-2026-11525: Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the…
PriorityP415low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
EPSS
0.25%
15.9th percentile
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.
This was introduced in undici 5.15.0 when the cookies feature was added.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| nodejs | nodejs | — | — |
| nodejs | undici | < 6.27.0 | 6.27.0 |
| nodejs | undici | >= 7.0.0 < 7.28.0 | 7.28.0 |
| nodejs | undici | >= 8.0.0 < 8.5.0 | 8.5.0 |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cvelistv5v3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
ghsa·2026-06-19
CVE-2026-11525 [LOW] CWE-183 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
## Impact
When undici parses a `Set-Cookie` header, it accepts any `SameSite` attribute value that contains `Strict`, `Lax`, or `None` as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:
- `SameSite=NoneOfYourBusiness` is parsed as `None`, the most permissive setting.
- `SameSite=StrictLax` is parsed as `Lax`, a downgrade from `Strict`.
Affected applications are those that consume `Set-Cookie` headers from server responses (for example via undici's `fetch` or proxy code paths) and then forward or rely on the parsed `sameSite` attribute. A malicious or non-compliant server can coerce the co
VulDB
undici up to 6.25.x/7.27.x/8.4.x Cookies Feature permissive list of allowed inputs (GHSA-g8m3-5g58-fq7m)
vuldb·2026-06-17
CVE-2026-11525 [LOW] undici up to 6.25.x/7.27.x/8.4.x Cookies Feature permissive list of allowed inputs (GHSA-g8m3-5g58-fq7m)
A vulnerability was found in undici up to 6.25.x/7.27.x/8.4.x. It has been declared as problematic. This impacts an unknown function of the component Cookies Feature. The manipulation results in permissive list of allowed inputs.
This vulnerability is cataloged as CVE-2026-11525. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
CVEList
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
cvelistv5·2026-06-17·CVSS 3.7
CVE-2026-11525 [LOW] CWE-183 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view o
Red Hat
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
vendor_redhat·2026-06-17·CVSS 3.7
CVE-2026-11525 [LOW] CWE-1286 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-11525 nodejs20: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 nodejs20: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
CVE-2026-11525 nodejs20: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-11525 nodejs24: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 nodejs24: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
CVE-2026-11525 nodejs24: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-11525 fbthrift: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 fbthrift: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
CVE-2026-11525 fbthrift: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the
Bugzilla
CVE-2026-11525 nodejs22: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 nodejs22: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
CVE-2026-11525 nodejs22: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-17
Published