Description
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

* Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
* Applications that accept user-controlled header names without case-normalization


Potential consequences:

* Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
* HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Published: 2026-03-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch or Mitigate
AI Analysis

Impact

Undici allows duplicate HTTP Content‑Length headers when headers are provided as a flat array with case‑variant names (e.g., Content‑Length and content-length). This creates malformed HTTP/1.1 requests with two conflicting Content‑Length values sent over the wire, enabling denial of service in strict parsers and opening the possibility for HTTP request smuggling. The weakness is a form of improper header validation and falls under CWE‑444.

Affected Systems

Affecting the Node.js HTTP client library undici (undici:undici). Applications that use undici.request(), undici.Client, or other low‑level APIs in which headers are supplied as arrays are impacted. Products that accept user‑controlled header names without first normalizing case and removing duplicates are also at risk. No specific affected versions are listed in the CNA data.

Risk and Exploitability

The CVSS base score is 6.5 (moderate) and EPSS is less than 1%, indicating a relatively low likelihood of exploitation. The vulnerability is not in CISA’s KEV catalog. Exploitability is inferred to require an attacker who can influence the headers sent to undici, such as through an application that forwards user input to the library without sanitization. If successfully leveraged, it can cause denial of service or enable request smuggling attacks such as ACL bypass, cache poisoning, or credential hijacking.

Generated by OpenCVE AI on March 19, 2026 at 18:27 UTC.

Remediation

Vendor Workaround

If upgrading is not immediately possible: * Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici * Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key * Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

OpenCVE Recommended Actions

  • Validate header names and reject duplicate Content‑Length headers before passing them to undici.
  • Pass headers as a plain object (e.g., { 'content-length': '123' }) rather than an array to automatically eliminate duplicate keys.
  • Sanitize user‑controlled header input by normalizing header names to lowercase and rejecting any duplicates.
  • Check for and install any undici updates that address this issue as they become released.
  • Monitor undici security advisories and NVD for new patches or mitigations.

Generated by OpenCVE AI on March 19, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2mjp-6q6p-2qxm Undici has an HTTP Request/Response Smuggling issue
History

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Title undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-12T20:46:13.379Z

Reserved: 2026-01-28T12:04:51.369Z

Link: CVE-2026-1525

cve-icon Vulnrichment

Updated: 2026-03-12T20:44:25.316Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T20:16:02.670

Modified: 2026-03-19T17:29:34.053

Link: CVE-2026-1525

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T19:56:55Z

Links: CVE-2026-1525 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:05:18Z

Weaknesses