CVE-2026-1527

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

4.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://cna.openjsf.org/security-advisories.html Vendor Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq Mitigation Patch Vendor Advisory
https://hackerone.com/reports/3487198 Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
History

20 Mar 2026, 15:49

Type Values Removed Values Added
First Time Nodejs undici
Nodejs
CPE cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
References () https://cna.openjsf.org/security-advisories.html - () https://cna.openjsf.org/security-advisories.html - Vendor Advisory
References () https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq - () https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq - Mitigation, Patch, Vendor Advisory
References () https://hackerone.com/reports/3487198 - () https://hackerone.com/reports/3487198 - Permissions Required

13 Mar 2026, 20:06

Type Values Removed Values Added
Summary
  • (es) ImpactoCuando una aplicación pasa entrada controlada por el usuario a la opción upgrade de client.request(), un atacante puede inyectar secuencias CRLF (\r\n) para: * Inyectar encabezados HTTP arbitrarios * Terminar la solicitud HTTP prematuramente y contrabandear datos sin procesar a servicios no HTTP (Redis, Memcached, Elasticsearch) La vulnerabilidad existe porque undici escribe el valor upgrade directamente al socket sin validar caracteres de encabezado no válidos: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }

12 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-12 21:16

Updated : 2026-03-20 15:49

NVD link : CVE-2026-1527

Mitre link : CVE-2026-1527

CVE.ORG link : CVE-2026-1527

JSON object : View

Products Affected

nodejs

  • undici
CWE
CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')