CVE-2026-1525
Published: 12 March 2026
Summary
CVE-2026-1525 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Nodejs Undici. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in HTTP client enables malformed requests leading directly to request smuggling and DoS against public-facing web infrastructure/proxies (CWE-444).
NVD Description
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(),…
more
undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Deeper analysisAI
CVE-2026-1525 affects the Undici HTTP client library for Node.js, allowing the creation of malformed HTTP/1.1 requests with duplicate Content-Length headers. This occurs when headers are passed as flat arrays containing case-variant names, such as "Content-Length" and "content-length", which Undici does not normalize or deduplicate. Applications are impacted if they use low-level APIs like undici.request() or undici.Client with such header arrays, or if they accept user-controlled header names without case-normalization.
Remote attackers with network access can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). By supplying crafted header arrays, attackers can trigger denial of service on strict HTTP parsers in proxies or servers, which reject requests with conflicting Content-Length values via 400 Bad Request responses. In multi-tier deployments where front-end intermediaries and backends interpret duplicates differently—such as one selecting the first value and another the last—this enables HTTP request smuggling (CWE-444), potentially leading to access control bypass, cache poisoning, or credential hijacking.
Mitigation guidance and patches are detailed in official advisories, including the Undici GitHub security advisory (GHSA-2mjp-6q6p-2qxm) and OpenJSF security advisories. Additional technical context appears in the related HackerOne report (3556037) and RFC 9110 section on Content-Length handling.
Details
- CWE(s)