Moderate severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
undici is vulnerable to CRLF Injection via upgrade option
CVE-2026-1527
Description
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
* Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += connection: upgrade\r\nupgrade: ${upgrade}\r\n }
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
49- osv-coords48 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/pelias-apipkg:apk/chainguard/renovatepkg:apk/wolfi/code-serverpkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/renovatepkg:npm/undicipkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs24pkg:rpm/almalinux/nodejs24-develpkg:rpm/almalinux/nodejs24-docspkg:rpm/almalinux/nodejs24-full-i18npkg:rpm/almalinux/nodejs24-libspkg:rpm/almalinux/nodejs24-npmpkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-13.6-devel
< 4.110.1-r2+ 47 more
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.7-r0
- (no CPE)range: < 9.2.6-r3
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 7.6.0-r4
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 6.24.0
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.el10_1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 3.0.3-3.module_el9.7.0+209+ecf6523e
- (no CPE)range: < 2021.06-6.module_el9.7.0+209+ecf6523e
- (no CPE)range: < 2021.06-6.module_el9.7.0+198+8bf605ba
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.