Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
Undici HTTP Client Allows Malicious Header Injection
CVE-2026-1527
GHSA-4992-7rv2-5pvq
Summary
Using Undici's HTTP client, an attacker can inject malicious HTTP headers or terminate requests to inject data into non-HTTP services like Redis, Memcached, or Elasticsearch. This happens when user-controlled input is used with the upgrade option of the client.request() method. To protect against this, validate user input before passing it to the client.request() method.
What to do
- Update undici to version 6.24.0.
- Update undici to version 7.24.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | undici | <= 6.24.0 | 6.24.0 |
| – | undici | > 7.0.0 , <= 7.24.0 | 7.24.0 |
Original title
Undici has CRLF Injection in undici via `upgrade` option
Original description
### Impact
When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r\n`) to:
1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:
```javascript
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
```
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
### Workarounds
Sanitize the `upgrade` option string before passing to undici:
```javascript
function sanitizeUpgrade(value) {
if (/[\r\n]/.test(value)) {
throw new Error('Invalid upgrade value')
}
return value
}
client.request({
upgrade: sanitizeUpgrade(userInput)
})
```
When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r\n`) to:
1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:
```javascript
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
```
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
### Workarounds
Sanitize the `upgrade` option string before passing to undici:
```javascript
function sanitizeUpgrade(value) {
if (/[\r\n]/.test(value)) {
throw new Error('Invalid upgrade value')
}
return value
}
client.request({
upgrade: sanitizeUpgrade(userInput)
})
```
nvd CVSS3.1
4.6
Vulnerability type
CWE-93
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026