CVE-2026-1527

CWE-939 documents8 sources
Severity
4.6MEDIUM
EPSS
0.0%
top 98.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Undici UndiciNodejs Undici
Timeline
PublishedMar 12
Latest updateMar 13

Description

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages4 packages

npmundici7.0.07.24.0+1
CVEListV5undici/undici< 6.24.0; 7.0.0 < 7.24.0
NVDnodejs/undici7.0.07.24.0+1
Debiannode-undici< 7.24.5+dfsg+~cs3.2.0-1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Undici has CRLF Injection in undici via `upgrade` option2026-03-13
GHSA
Undici has CRLF Injection in undici via `upgrade` option2026-03-13
CVEList
undici is vulnerable to CRLF Injection via upgrade option2026-03-12
OSV
CVE-2026-1527: ImpactWhen an application passes user-controlled input to the upgrade option of client2026-03-12

📋Vendor Advisories

2
Red Hat
undici: Undici: HTTP header injection and request smuggling vulnerability2026-03-12
Debian
CVE-2026-1527: node-undici - ImpactWhen an application passes user-controlled input to the upgrade option of ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability2026-03-12
CVE-2026-1527 (MEDIUM CVSS 4.6) | ImpactWhen an application passes us | cvebase.io