Impact
The undici library, which parses Set-Cookie headers, performs percent-decoding on cookie values without regard to RFC 6265. This transforms encoded sequences such as %0D%0A, %00, %3B, and %3D into their raw byte forms. When an application forwards these parsed values into response headers—common in proxies, middleware, or server‑side rendering frameworks—the attacker can inject arbitrary headers such as Set‑Cookie, Location, or Cache‑Control. This enables session fixation, open redirects, or cache poisoning, compromising user sessions and application integrity.
Affected Systems
The vulnerability affects any application that uses undici's cookie parsing functions (parseSetCookie, parseCookie, getSetCookies) and subsequently writes the parsed output to a response header. Current undici versions from 7.0.0 onward are vulnerable; upgrading to undici 6.26.0, 7.28.0, or 8.5.0 removes the flaw.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending a malicious Set‑Cookie header from an upstream server; the undici parser will decode it and an application that forwards the decoded value will deliver malicious headers to downstream clients. If the application processes untrusted upstream requests, the opportunity to inject headers exists.
OpenCVE Enrichment
Github GHSA