Description
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).

Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.

This was introduced in undici 5.15.0 when the cookies feature was added.

Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds:
After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.
Published: 2026-06-17
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

undici’s Set‑Cookie parser accepts any SameSite attribute value that contains the strings "Strict", "Lax", or "None" as a substring, instead of requiring an exact, case‑insensitive match as specified by RFC 6265. The erroneous logic silently maps non‑spec values to one of the three standard tokens. For example, a header containing "SameSite=NoneOfYourBusiness" is parsed as None (the most permissive setting), and "SameSite=StrictLax" is interpreted as Lax, thereby downgrading a stronger policy to a weaker one. This downgrade can undermine a site’s intent to restrict cross‑site request contexts for cookies, weakening confidentiality and integrity protections.

Affected Systems

The issue affects any application that uses undici to retrieve or forward Set‑Cookie headers, such as via the fetch or proxy APIs. All releases from undici 5.15.0 up to the patched versions 6.26.0, 7.28.0, and 8.5.0 are vulnerable, so deployments using any intermediate undici release remain at risk.

Risk and Exploitability

The CVSS score of 3.7 indicates a moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation. Unlike many other vulnerabilities, this one is not included in CISA’s KEV list. The attack vector is inferred: a malicious or poorly configured server can send a crafted Set‑Cookie header to the undici client, which will then parse the SameSite value into a weaker token without detecting the change. Since parsing occurs client‑side and no extra privileges are needed, an attacker who can influence the server’s response can perform a low‑effort downgrade attack on any dependant application.

Generated by OpenCVE AI on June 18, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to v6.26.0, v7.28.0, or v8.5.0.
  • After a Set‑Cookie header is parsed, validate that the resulting SameSite attribute is exactly "Strict", "Lax", or "None" (case‑insensitive) and reject or translate any other value before forwarding or using it.
  • Ensure that any server generating Set‑Cookie headers adheres to RFC 6265 so that only valid SameSite tokens are transmitted.

Generated by OpenCVE AI on June 18, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict). Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide. This was introduced in undici 5.15.0 when the cookies feature was added. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.
Title undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Weaknesses CWE-183
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-17T17:54:22.022Z

Reserved: 2026-06-07T18:49:35.986Z

Link: CVE-2026-11525

cve-icon Vulnrichment

Updated: 2026-06-17T17:53:46.041Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-17T17:31:03Z

Links: CVE-2026-11525 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-183

    Permissive List of Allowed Inputs