Duplicate HTTP Content-Length Headers in Undici from Node.js
CVE-2026-1525

6.5MEDIUM

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-1525?

Undici, a popular HTTP client for Node.js, allows for the inclusion of duplicate HTTP Content-Length headers when headers are passed as an array with case-variant names. This results in malformed HTTP/1.1 requests which can be interpreted inconsistently by servers and intermediaries. Applications that utilize undici.request() or similar low-level APIs are at risk, particularly if they accept user-controlled header names without proper case normalization. The potential consequences include denial of service due to rejections from strict HTTP parsers and exploitation through request smuggling attacks, where conflicting interpretations of the headers can lead to access control bypasses and cache poisoning.

Affected Version(s)

undici < 6.24.0; 7.0.0 < 7.24.0 < 6.24.0; 7.0.0 < 7.24.0

undici 6.24.0: 7.24.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6

https://cwe.mitre.org/data/definitions/444.html

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Jan 28, 2026

Credit

Matteo Collina

Ulises Gascón

CVE-2026-1525 Data

JSON