CVE-2026-1525
Published: 12 March 2026
Summary
CVE-2026-1525 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Nodejs Undici. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-1525 affects the Undici HTTP client library for Node.js, allowing the creation of malformed HTTP/1.1 requests with duplicate Content-Length headers. This occurs when headers are passed as flat arrays containing case-variant names, such as "Content-Length" and "content-length", which Undici does not normalize or deduplicate. Applications are impacted if they use low-level APIs like undici.request() or undici.Client with such header arrays, or if they accept user-controlled header names without case-normalization.
Remote attackers with network access can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). By supplying crafted header arrays, attackers can trigger denial of service on strict HTTP parsers in proxies or servers, which reject requests with conflicting Content-Length values via 400 Bad Request responses. In multi-tier deployments where front-end intermediaries and backends interpret duplicates differently—such as one selecting the first value and another the last—this enables HTTP request smuggling (CWE-444), potentially leading to access control bypass, cache poisoning, or credential hijacking.
Mitigation guidance and patches are detailed in official advisories, including the Undici GitHub security advisory (GHSA-2mjp-6q6p-2qxm) and OpenJSF security advisories. Additional technical context appears in the related HackerOne report (3556037) and RFC 9110 section on Content-Length handling.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11685
Vulnerability details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(),…
more
undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in HTTP client enables malformed requests leading directly to request smuggling and DoS against public-facing web infrastructure/proxies (CWE-444).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and normalization of untrusted header arrays to reject or canonicalize duplicate case-variant Content-Length values before they reach the wire.
Enforces consistent information-flow rules on HTTP header metadata so that intermediaries and back-ends interpret (or drop) conflicting Content-Length values identically, blocking smuggling.
Boundary-protection devices can inspect outbound/inbound HTTP/1.1 traffic and drop requests containing duplicate or malformed Content-Length headers before they reach strict parsers.