Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1527

Summary
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
Published At-12 Mar, 2026 | 20:17
Updated At-13 Mar, 2026 | 18:06
Rejected At-
Credits

undici is vulnerable to CRLF Injection via upgrade option

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:openjs
Assigner Org ID:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:12 Mar, 2026 | 20:17
Updated At:13 Mar, 2026 | 18:06
Rejected At:
▼CVE Numbering Authority (CNA)
undici is vulnerable to CRLF Injection via upgrade option

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

Affected Products
Vendor
undici
Product
undici
Collection URL
https://github.com/nodejs/undici/
Package Name
undici
Repo
https://github.com/nodejs/undici/
Default Status
unaffected
Versions
Affected
  • < 6.24.0; 7.0.0 < 7.24.0
Unaffected
  • 6.24.0: 7.24.0
Problem Types
TypeCWE IDDescription
CWECWE-93CWE-93 Improper neutralization of CRLF sequences ('CRLF injection')
Type: CWE
CWE ID: CWE-93
Description: CWE-93 Improper neutralization of CRLF sequences ('CRLF injection')
Metrics
VersionBase scoreBase severityVector
3.14.6MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
remediation developer
Matteo Collina
remediation developer
Ulises Gascón
analyst
Raul Vega del Valle
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
N/A
https://hackerone.com/reports/3487198
N/A
https://cna.openjsf.org/security-advisories.html
N/A
Hyperlink: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
Resource: N/A
Hyperlink: https://hackerone.com/reports/3487198
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:12 Mar, 2026 | 21:16
Updated At:20 Mar, 2026 | 15:49

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.6MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CPE Matches
Node.js (OpenJS Foundation)
nodejs
>>undici>>Versions before 6.24.0(exclusive)
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Node.js (OpenJS Foundation)
nodejs
>>undici>>Versions from 7.0.0(inclusive) to 7.24.0(exclusive)
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-93Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-93
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cna.openjsf.org/security-advisories.htmlce714d77-add3-4f53-aff5-83d477b104bb
Vendor Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvqce714d77-add3-4f53-aff5-83d477b104bb
Mitigation
Patch
Vendor Advisory
https://hackerone.com/reports/3487198ce714d77-add3-4f53-aff5-83d477b104bb
Permissions Required
Hyperlink: https://cna.openjsf.org/security-advisories.html
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource:
Vendor Advisory
Hyperlink: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource:
Mitigation
Patch
Vendor Advisory
Hyperlink: https://hackerone.com/reports/3487198
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource:
Permissions Required

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2023-23936
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.40%
||
7 Day CHG-0.14%
Published-16 Feb, 2023 | 17:30
Updated-10 Mar, 2025 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRLF Injection in Nodejs ‘undici’ via host

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-undicinode.jsundici
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-35948
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 37.43%
||
7 Day CHG~0.00%
Published-13 Aug, 2022 | 00:00
Updated-22 Apr, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRLF Injection in Nodejs ‘undici’ via Content-Type

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2022-31150
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.51% / 66.29%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 20:40
Updated-22 Apr, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRLF injection in request headers

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Details not found