Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4992-7rv2-5pvq

Опубликовано: 13 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 4.6

Описание

Undici has CRLF Injection in undici via upgrade option

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) { if (/[\r\n]/.test(value)) { throw new Error('Invalid upgrade value') } return value } client.request({ upgrade: sanitizeUpgrade(userInput) })

Ссылки

Пакеты

Наименование

undici

npm
Затронутые версииВерсия исправления

< 6.24.0

6.24.0

Наименование

undici

npm
Затронутые версииВерсия исправления

>= 7.0.0, < 7.24.0

7.24.0

EPSS

Процентиль: 1%
0.00009
Низкий

4.6 Medium

CVSS3

CVE ID

CVE-2026-1527

Дефекты

CWE-93

Связанные уязвимости

ubuntu логотип

CVE-2026-1527

CVSS3: 4.6
ubuntu
18 дней назад

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

redhat логотип

CVE-2026-1527

CVSS3: 6.5
redhat
18 дней назад

A flaw was found in undici, a Node.js HTTP/1.1 client. This vulnerability allows a remote attacker to inject malicious data into HTTP headers or prematurely end HTTP requests by sending specially crafted input to the `upgrade` option of `client.request()`. This is possible because undici does not properly validate input for invalid header characters, which could lead to unauthorized information disclosure or bypassing of security controls.

nvd логотип

CVE-2026-1527

CVSS3: 4.6
nvd
18 дней назад

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

debian логотип

CVE-2026-1527

CVSS3: 4.6
debian
18 дней назад

ImpactWhen an application passes user-controlled input to theupgradeop ...

EPSS

Процентиль: 1%
0.00009
Низкий

4.6 Medium

CVSS3

CVE ID

CVE-2026-1527

Дефекты

CWE-93