undici is vulnerable to CRLF Injection via upgrade option
Description
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
* Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += connection: upgrade\r\nupgrade: ${upgrade}\r\n }
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRLF injection in undici's client.request() upgrade option allows header injection and raw data smuggling to non-HTTP services when user input is unsanitized.
Vulnerability
CVE-2026-1527 is a CRLF injection vulnerability in the undici HTTP/1.1 client library, affecting the upgrade option of client.request(). When an application passes user-controlled input to this option, an attacker can inject CRLF sequences (\r\n) because the library writes the value directly to the socket without validating for invalid header characters (see lib/dispatcher/client-h1.js:1121) [1][2].
Exploitation
Exploitation requires that an application passes unsanitized user input to the upgrade parameter. An attacker can then inject \r\n sequences to inject arbitrary HTTP headers, terminate the HTTP request prematurely, or smuggle raw data to non-HTTP backend services such as Redis, Memcached, or Elasticsearch [2][4].
Impact
Successful exploitation allows an attacker to perform HTTP request smuggling, potentially bypassing security controls or interacting with internal services in unintended ways. The impact depends on the backend services accessible from the affected application [4].
Mitigation
The vulnerability has been patched in undici versions v7.24.0 and v6.24.0. Users should upgrade immediately. For applications that cannot upgrade, a workaround is to sanitize the upgrade option by rejecting any input containing \r or \n characters [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
1- undici/undiciv5Range: < 6.24.0; 7.0.0 < 7.24.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.