Response Queue Poisoning Vulnerability in Undici HTTP Client
CVE-2026-6733

3.7LOW

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-6733?

The Undici HTTP/1.1 client is susceptible to a response queue poisoning vulnerability that arises when keep-alive sockets are reused. In scenarios where an attacker controls an upstream HTTP/1.1 server, they can manipulate socket connections to inject unsolicited responses after previous requests. This injection leads to incorrect response handling, where the injected response is misassociated with the next legitimate request made on the same socket. Mitigations include upgrading to specified patched versions or disabling connection reuse by adjusting the keep-alive timeout.

Affected Version(s)

undici 0 < 6.26.0

undici 7.0.0 < 7.28.0

undici 8.0.0 < 8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://hackerone.com/reports/3582376

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

mcollina

UlisesGascon

CVE-2026-6733 Data

JSON