Vulnerability Description
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Undici | < 6.24.0 |
Related Weaknesses (CWE)
References
- https://cna.openjsf.org/security-advisories.htmlVendor Advisory
- https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvqMitigationPatchVendor Advisory
- https://hackerone.com/reports/3487198Permissions Required
FAQ
What is CVE-2026-1527?
CVE-2026-1527 is a vulnerability with a CVSS score of 4.6 (MEDIUM). ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate th...
How severe is CVE-2026-1527?
CVE-2026-1527 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1527?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Undici.