Description
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

* Inject arbitrary HTTP headers
* Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Published: 2026-03-12
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CRLF injection allowing arbitrary HTTP header injection and request smuggling to non-HTTP services
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject CRLF sequences into the upgrade option of undici's client.request(), permitting arbitrary HTTP header injection and premature request termination. This can result in data smuggling into services such as Redis, Memcached, or Elasticsearch, potentially exposing sensitive information or enabling further exploitation. The weakness corresponds to CWE‑93 (CRLF Injection).

Affected Systems

The affected product is undici, the HTTP client library used within Node.js environments. No specific version information is provided in the advisory, so any deployment that uses undici's upgrade option and accepts user-controlled input may be affected.

Risk and Exploitability

The CVSS score of 4.6 rates the vulnerability as moderate, and the EPSS score indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is external; an attacker can craft a request with a malicious upgrade field that contains CRLF sequences to trigger header injection and smuggling. The impact applies when the application forwards such requests to non-HTTP services, and while the overall risk is moderate, the potential to expose data to services like Redis or Elasticsearch is significant.

Generated by OpenCVE AI on March 20, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to a patched version that validates the upgrade option
  • If immediate upgrade is not possible, sanitize or validate the upgrade option value to ensure it does not contain CR or LF characters before sending
  • Disable the upgrade option for any user-controlled input if it is not required by the application
  • Monitor for vendor updates and apply patches as soon as they become available

Generated by OpenCVE AI on March 20, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4992-7rv2-5pvq Undici has CRLF Injection in undici via `upgrade` option
History

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
Title undici is vulnerable to CRLF Injection via upgrade option
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-13T18:06:03.794Z

Reserved: 2026-01-28T12:05:08.491Z

Link: CVE-2026-1527

cve-icon Vulnrichment

Updated: 2026-03-13T18:05:47.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T21:16:25.137

Modified: 2026-03-20T15:49:31.370

Link: CVE-2026-1527

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T20:17:18Z

Links: CVE-2026-1527 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:27Z

Weaknesses