HTTP Response Header Injection Vulnerability in Undici Product by Node.js
CVE-2026-9679

5.9MEDIUM

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-9679?

In the latest versions of Undici, the cookie parser (parseSetCookie) improperly decodes cookie values, which can expose applications to HTTP response header injection vulnerabilities. This issue arises when applications parse Set-Cookie headers and forward those parsed values into response headers. Malicious upstream actors can exploit this flaw to inject arbitrary headers such as Set-Cookie, Location, or Cache-Control, potentially leading to serious security threats like session fixation, open redirects, or cache poisoning. Developers using Undici are advised to upgrade to versions 6.26.0, 7.28.0, or 8.5.0, or implement proper sanitation of cookie values before forwarding them in response headers.

Affected Version(s)

undici 0 < 6.26.0

undici 7.0.0 < 7.28.0

undici 8.0.0 < 8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 27, 2026

Credit

tndud042713

mcollina

KhafraDev

UlisesGascon

CVE-2026-9679 Data

JSON