Description
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Published: 2026-06-17
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The undici HTTP/1.1 client contains a flaw that allows an attacker-controlled or compromised upstream server to poison the response queue on a reused keep‑alive socket. After a request completes, the idle socket can be reused for the next request. The attacker can inject a forged HTTP/1.1 response onto that socket, and the client then associates the injected response with the new request, causing the application to receive the wrong data. This can result in logic errors, data leakage, or application instability. The flaw requires that a controllable upstream HTTP/1.1 server be present and that the client reuses keep‑alive connections. The vulnerability is rooted in improper management of object references (CWE-367) and response injection (CWE-940).

Affected Systems

Deployments of the undici library earlier than v6.26.0, v7.28..0 are affected. The product is the undici HTTP client for Node.js, used by JavaScript applications that perform outbound HTTP traffic.

Risk and Exploitability

The CVSS score of 3.7 places the vulnerability in the low to medium severity range, and the EPSS score indicates a very low probability of exploitation. It is not listed in CISA’s KEV catalogue, suggesting no widespread known exploits. Exploitation requires control over the server to which the application connects; if all upstream servers are trustworthy or difficult to compromise, the risk remains low. However, should an attacker manage to subvert an upstream server, they could deliver malicious responses, potentially leading to information disclosure or application failure. Updating to a fixed release is the definitive mitigation, while disabling keep‑alive reuse provides a temporary safeguard.

Generated by OpenCVE AI on June 18, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the undici package to v6.26.0, v7.28.0, or v8.5.0 or later.
  • If a patch cannot be applied immediately, configure the client or pool to set keepAliveTimeout to 0, thereby disabling keep‑alive reuse and preventing queue poisoning.
  • Confirm that all upstream servers the application connects to are trusted or have been hardened against injection, and monitor network traffic for unexpected responses on the socket to detect potential abuses.

Generated by OpenCVE AI on June 18, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-35p6-xmwp-9g52 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-940
References
Metrics threat_severity

None

threat_severity

Low


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Title undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-17T18:30:26.429Z

Reserved: 2026-04-20T22:44:32.835Z

Link: CVE-2026-6733

cve-icon Vulnrichment

Updated: 2026-06-17T18:30:16.063Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-17T17:14:50Z

Links: CVE-2026-6733 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-940

    Improper Verification of Source of a Communication Channel