CVE-2026-6733

LOW 3.7

undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

CWE	CWE-367
Vendor	undici
Product	undici
Published	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for undici undici

Be the first to know when new low vulnerabilities affecting undici undici are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

undici / undici

0 < 6.26.0 7.0.0 < 7.28.0 8.0.0 < 8.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52 hackerone.com: https://hackerone.com/reports/3582376 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

mcollina UlisesGascon