CVE-2026-1525

CWE-444 — HTTP Request Smuggling9 documents8 sources

Severity

9.8CRITICAL

EPSS

0.0%

top 95.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Undici Undici Nodejs Undici

Timeline

PublishedMar 12

Latest updateMar 13

Description

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶npmundici7.0.0 — 7.24.0+1

▶CVEListV5undici/undici< 6.24.0; 7.0.0 < 7.24.0

▶NVDnodejs/undici7.0.0 — 7.24.0+1

▶Debiannode-undici< 7.24.5+dfsg+~cs3.2.0-1

🔴Vulnerability Details

OSV

Undici has an HTTP Request/Response Smuggling issue↗2026-03-13

▶

GHSA

Undici has an HTTP Request/Response Smuggling issue↗2026-03-13

▶

CVEList

undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')↗2026-03-12

▶

OSV

CVE-2026-1525: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e↗2026-03-12

▶

📋Vendor Advisories

Red Hat

undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers↗2026-03-12

▶

Debian

CVE-2026-1525: node-undici - Undici allows duplicate HTTP Content-Length headers when they are provided in an...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1525 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-1525 undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers↗2026-03-12

▶