Cyber Resilience

CVE-2026-1525

Medium

Published: 12 March 2026

Published
12 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0049 38.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1525 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Nodejs Undici. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-1525 affects the Undici HTTP client library for Node.js, allowing the creation of malformed HTTP/1.1 requests with duplicate Content-Length headers. This occurs when headers are passed as flat arrays containing case-variant names, such as "Content-Length" and "content-length", which Undici does not normalize or deduplicate. Applications are impacted if they use low-level APIs like undici.request() or undici.Client with such header arrays, or if they accept user-controlled header names without case-normalization.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). By supplying crafted header arrays, attackers can trigger denial of service on strict HTTP parsers in proxies or servers, which reject requests with conflicting Content-Length values via 400 Bad Request responses. In multi-tier deployments where front-end intermediaries and backends interpret duplicates differently—such as one selecting the first value and another the last—this enables HTTP request smuggling (CWE-444), potentially leading to access control bypass, cache poisoning, or credential hijacking.

Mitigation guidance and patches are detailed in official advisories, including the Undici GitHub security advisory (GHSA-2mjp-6q6p-2qxm) and OpenJSF security advisories. Additional technical context appears in the related HackerOne report (3556037) and RFC 9110 section on Content-Length handling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(),…

more

undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in HTTP client enables malformed requests leading directly to request smuggling and DoS against public-facing web infrastructure/proxies (CWE-444).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1528Same product: Nodejs Undici
CVE-2026-2229Same product: Nodejs Undici
CVE-2026-1526Same product: Nodejs Undici
CVE-2026-22036Same product: Nodejs Undici
CVE-2026-40562Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2026-28368Shared CWE-444
CVE-2025-31958Shared CWE-444

Affected Assets

nodejs
undici
≤ 6.24.0 · 7.0.0 — 7.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and normalization of untrusted header arrays to reject or canonicalize duplicate case-variant Content-Length values before they reach the wire.

prevent

Enforces consistent information-flow rules on HTTP header metadata so that intermediaries and back-ends interpret (or drop) conflicting Content-Length values identically, blocking smuggling.

preventdetect

Boundary-protection devices can inspect outbound/inbound HTTP/1.1 traffic and drop requests containing duplicate or malformed Content-Length headers before they reach strict parsers.

References