Cookie Handling Vulnerability in Undici Library by Node.js
CVE-2026-11525

3.7LOW

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-11525?

The vulnerability in the Undici library allows for improper processing of the Set-Cookie header. Specifically, the library does not enforce a case-insensitive exact match for the SameSite attribute, as dictated by RFC 6265. Instead, it accepts any substring that contains 'Strict', 'Lax', or 'None', mapping non-compliant values to these standard categories. This means a malicious server could manipulate a cookie's SameSite policy, potentially reducing the security intended by the developer. Applications relying on parsed SameSite values may unintentionally expose users to risks by accepting less stringent SameSite settings through faulty parsing of cookie headers.

Affected Version(s)

undici 0 < 6.26.0

undici 7.0.0 < 7.28.0

undici 8.0.0 < 8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 7, 2026

Credit

UlisesGascon

KhafraDev

mcollina

tndud042713

CVE-2026-11525 Data

JSON