Description
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 via PR #3789.

Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds:
If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
Published: 2026-06-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The undici library, which parses Set-Cookie headers, performs percent-decoding on cookie values without regard to RFC 6265. This transforms encoded sequences such as %0D%0A, %00, %3B, and %3D into their raw byte forms. When an application forwards these parsed values into response headers—common in proxies, middleware, or server‑side rendering frameworks—the attacker can inject arbitrary headers such as Set‑Cookie, Location, or Cache‑Control. This enables session fixation, open redirects, or cache poisoning, compromising user sessions and application integrity.

Affected Systems

The vulnerability affects any application that uses undici's cookie parsing functions (parseSetCookie, parseCookie, getSetCookies) and subsequently writes the parsed output to a response header. Current undici versions from 7.0.0 onward are vulnerable; upgrading to undici 6.26.0, 7.28.0, or 8.5.0 removes the flaw.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending a malicious Set‑Cookie header from an upstream server; the undici parser will decode it and an application that forwards the decoded value will deliver malicious headers to downstream clients. If the application processes untrusted upstream requests, the opportunity to inject headers exists.

Generated by OpenCVE AI on June 18, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to v6.26.0, v7.28.0, or v8.5.0.
  • If an upgrade is not possible, modify application logic to avoid forwarding raw cookie values parsed by undici into response headers; instead sanitize the value by stripping or rejecting CR, LF, NUL, ';', and '=' bytes.
  • Review any proxy, middleware, or SSR framework that forwards cookie data to headers and ensure that the values are validated or sanitized before inclusion in the response.

Generated by OpenCVE AI on June 18, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
History

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning. Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header. This was introduced in undici 7.0.0 via PR #3789. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
Title undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-23T16:12:38.765Z

Reserved: 2026-05-27T08:59:17.316Z

Link: CVE-2026-9679

cve-icon Vulnrichment

Updated: 2026-06-17T18:32:09.569Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T16:56:18Z

Links: CVE-2026-9679 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')