CVE-2026-1527

MEDIUM 4.6

undici is vulnerable to CRLF Injection via upgrade option

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

0th

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

CWE	CWE-93
Vendor	undici
Product	undici
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for undici undici

Be the first to know when new medium vulnerabilities affecting undici undici are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

undici / undici

< 6.24.0; 7.0.0 < 7.24.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq hackerone.com: https://hackerone.com/reports/3487198 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

Matteo Collina Ulises Gascón Raul Vega del Valle