CVE-2026-1525

{"id": "CVE-2026-1525", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-12T20:16:02.670", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://cwe.mitre.org/data/definitions/444.html", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm", "tags": ["Mitigation", "Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://hackerone.com/reports/3556037", "tags": ["Permissions Required"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6", "tags": ["Technical Description"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "Undici allows duplicate HTTP\u00a0Content-Length\u00a0headers when they are provided in an array with case-variant names (e.g.,\u00a0Content-Length\u00a0and\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\u00a0Content-Length\u00a0values on the wire.\n\nWho is impacted:\n\n * Applications using\u00a0undici.request(),\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\n * Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u00a0Content-Length\u00a0headers (400 Bad Request)\n * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking"}, {"lang": "es", "value": "Undici permite encabezados HTTP Content-Length duplicados cuando se proporcionan en un array con nombres que var\u00edan en may\u00fasculas/min\u00fasculas (p. ej., Content-Length y content-length). Esto produce solicitudes HTTP/1.1 malformadas con m\u00faltiples valores Content-Length conflictivos en la red.\n\nQui\u00e9nes son los afectados:\n\n * Aplicaciones que utilizan undici.request(), undici.Cliente, o APIs de bajo nivel similares con encabezados pasados como arrays planos\n * Aplicaciones que aceptan nombres de encabezado controlados por el usuario sin normalizaci\u00f3n de may\u00fasculas/min\u00fasculas\n\nPosibles consecuencias:\n\n * Denegaci\u00f3n de Servicio: Analizadores HTTP estrictos (proxies, servidores) rechazar\u00e1n las solicitudes con encabezados Content-Length duplicados (400 Solicitud Incorrecta)\n * Contrabando de Solicitudes HTTP: En implementaciones donde un intermediario y un backend interpretan encabezados duplicados de manera inconsistente (p. ej., uno usa el primer valor, el otro usa el \u00faltimo), esto puede habilitar ataques de contrabando de solicitudes que conducen a la omisi\u00f3n de ACL, envenenamiento de cach\u00e9 o secuestro de credenciales"}], "lastModified": "2026-03-19T17:29:34.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C08CE582-019D-4A06-910A-6010C2D6EF4F", "versionEndExcluding": "6.24.0"}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F016E7D9-C45A-4DEF-9AD8-F0581AF5E509", "versionEndExcluding": "7.24.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}