Impact
The undici HTTP/1.1 client contains a flaw that allows an attacker-controlled or compromised upstream server to poison the response queue on a reused keep‑alive socket. After a request completes, the idle socket can be reused for the next request. The attacker can inject a forged HTTP/1.1 response onto that socket, and the client then associates the injected response with the new request, causing the application to receive the wrong data. This can result in logic errors, data leakage, or application instability. The flaw requires that a controllable upstream HTTP/1.1 server be present and that the client reuses keep‑alive connections. The vulnerability is rooted in improper management of object references (CWE-367) and response injection (CWE-940).
Affected Systems
Deployments of the undici library earlier than v6.26.0, v7.28..0 are affected. The product is the undici HTTP client for Node.js, used by JavaScript applications that perform outbound HTTP traffic.
Risk and Exploitability
The CVSS score of 3.7 places the vulnerability in the low to medium severity range, and the EPSS score indicates a very low probability of exploitation. It is not listed in CISA’s KEV catalogue, suggesting no widespread known exploits. Exploitation requires control over the server to which the application connects; if all upstream servers are trustworthy or difficult to compromise, the risk remains low. However, should an attacker manage to subvert an upstream server, they could deliver malicious responses, potentially leading to information disclosure or application failure. Updating to a fixed release is the definitive mitigation, while disabling keep‑alive reuse provides a temporary safeguard.
OpenCVE Enrichment
Github GHSA