CVE-2026-1527
ADVISORY - githubSummary
Impact
When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
Sanitize the upgrade option string before passing to undici:
function sanitizeUpgrade(value) {
if (/[\r\n]/.test(value)) {
throw new Error('Invalid upgrade value')
}
return value
}
client.request({
upgrade: sanitizeUpgrade(userInput)
})
Common Weakness Enumeration (CWE)
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Improper Neutralization of CRLF Sequences ('CRLF Injection')
NIST
2.1
CVSS SCORE
4.6mediumGitHub
2.1
CVSS SCORE
4.6mediumDebian
-
CVSS SCORE
N/AlowUbuntu
-
CVSS SCORE
N/AmediumAlma
-
CVSS SCORE
N/AhighAlma
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighRed Hat
2.3
CVSS SCORE
6.5mediumRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighChainguard
CGA-474r-8wcx-87w5
-
minimos
MINI-3fgx-hccc-hm6q
-
minimos
MINI-4rgr-2f52-j36h
-
minimos
MINI-fcfc-f83v-fq5c
-
minimos
MINI-g4mv-4p5v-f7mp
-
minimos
MINI-h444-fq94-jfc2
-
minimos
MINI-h5xc-966m-ccr9
-
minimos
MINI-j5pw-7gjw-738g
-
minimos
MINI-m554-ppx8-r58x
-
minimos
MINI-phmp-vjcv-cqrx
-
minimos
MINI-pmg3-6ch3-v3f3
-