CVE-2026-9679
published 2026-06-17CVE-2026-9679: Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into…
PriorityP434medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.26%
17.0th percentile
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.
This was introduced in undici 7.0.0 via PR #3789.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| nodejs | nodejs | — | — |
| nodejs | undici | < 6.27.0 | 6.27.0 |
| nodejs | undici | >= 7.0.0 < 7.28.0 | 7.28.0 |
| nodejs | undici | >= 8.0.0 < 8.5.0 | 8.5.0 |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
cvelistv5v3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
ghsa·2026-06-19
CVE-2026-9679 [MEDIUM] CWE-93 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
## Impact
undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a `Set-Cookie` header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary `Set-Cookie`, `Location`, or `Cache-Control` headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those t
VulDB
undici up to 6.25.x/7.27.x/8.4.x HTTP Response Header getSetCookies crlf injection (GHSA-p88m-4jfj-68fv)
vuldb·2026-06-17
CVE-2026-9679 [CRITICAL] undici up to 6.25.x/7.27.x/8.4.x HTTP Response Header getSetCookies crlf injection (GHSA-p88m-4jfj-68fv)
A vulnerability was found in undici up to 6.25.x/7.27.x/8.4.x. It has been rated as critical. Affected is an unknown function of the file /parseCookie/getSetCookies of the component HTTP Response Header Handler. This manipulation causes crlf injection.
This vulnerability is registered as CVE-2026-9679. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
CVEList
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
cvelistv5·2026-06-17·CVSS 5.9
CVE-2026-9679 [MEDIUM] CWE-93 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie
Red Hat
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
vendor_redhat·2026-06-17·CVSS 5.9
CVE-2026-9679 [MEDIUM] CWE-93 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's
Citrix
Citrix Security Bulletin CTX219580
vendor_citrix·CVSS 9.8
CVE-2016-9676 [CRITICAL] Citrix Security Bulletin CTX219580
Citrix Security Bulletin CTX219580
CVE References: CVE-2016-9676, CVE-2016-9677, CVE-2016-9678, CVE-2016-9679, CVE-2016-9680, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-9679 nodejs22: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 nodejs22: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
CVE-2026-9679 nodejs22: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9679 fbthrift: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 fbthrift: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
CVE-2026-9679 fbthrift: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those th
Bugzilla
CVE-2026-9679 nodejs24: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 nodejs24: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
CVE-2026-9679 nodejs24: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9679 nodejs20: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 nodejs20: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
CVE-2026-9679 nodejs20: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-17
Published