CVE-2026-1525
Received Received - Intake
Duplicate Content-Length Header Vulnerability in Undici Enables Request Smuggling

Publication date: 2026-03-12

Last updated on: 2026-03-19

Assigner: openjs

Description
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1525
EUVD
EUVD-2026-11685
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nodejs undici to 6.24.0 (exc)
nodejs undici From 7.0.0 (inc) to 7.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-1525 is a vulnerability in the Node.js HTTP client library undici that allows duplicate HTTP Content-Length headers when these headers are provided as an array with case-variant names (e.g., "Content-Length" and "content-length"). This results in malformed HTTP/1.1 requests containing multiple conflicting Content-Length values on the wire.'}, {'type': 'paragraph', 'content': 'This happens because undici does not normalize header names when headers are passed as flat arrays, allowing duplicates that violate HTTP protocol expectations.'}, {'type': 'paragraph', 'content': 'The vulnerability can cause strict HTTP parsers such as proxies or servers to reject requests with a 400 Bad Request error, leading to Denial of Service. More critically, in environments where intermediaries and backends interpret duplicate headers inconsistently (e.g., one uses the first Content-Length value and the other uses the last), this discrepancy enables HTTP request smuggling attacks.'}, {'type': 'paragraph', 'content': 'HTTP request smuggling can lead to serious security issues such as access control bypass, cache poisoning, or credential hijacking.'}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability can impact applications using undici's low-level APIs with headers passed as flat arrays or accepting user-controlled header names without case normalization."}, {'type': 'list_item', 'content': 'Denial of Service (DoS): Strict HTTP parsers will reject requests with duplicate Content-Length headers, causing 400 Bad Request errors and service disruption.'}, {'type': 'list_item', 'content': 'HTTP Request Smuggling: Inconsistent interpretation of duplicate Content-Length headers between intermediaries and backend servers can enable attackers to smuggle malicious requests.'}, {'type': 'list_item', 'content': 'Consequences of request smuggling include access control list (ACL) bypass, cache poisoning, and credential hijacking.'}] [2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying malformed HTTP/1.1 requests that contain duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length"). Such requests may cause strict HTTP parsers to reject them or behave inconsistently.'}, {'type': 'paragraph', 'content': 'One approach is to monitor HTTP traffic for requests that include multiple Content-Length headers differing only by case. Network packet capture tools like tcpdump or Wireshark can be used to capture HTTP requests and inspect headers.'}, {'type': 'paragraph', 'content': 'Example commands to detect duplicate Content-Length headers in HTTP requests might include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80'"}, {'type': 'list_item', 'content': 'Using tshark (Wireshark CLI) to filter HTTP requests with multiple Content-Length headers: tshark -Y \'http.header matches "(?i)content-length"\' -T fields -e http.header'}, {'type': 'list_item', 'content': 'Using custom scripts or log analysis tools to parse HTTP request logs for duplicate Content-Length headers ignoring case.'}, {'type': 'paragraph', 'content': 'Additionally, static analysis of application code that uses undici.request(), undici.Client, or similar APIs can help detect if headers are passed as flat arrays with potential duplicates or if user-controlled headers are accepted without normalization.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the undici library to versions 6.24.0 or 7.24.0 and later, where this vulnerability is patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately feasible, the following workarounds are recommended:'}, {'type': 'list_item', 'content': 'Validate header names before passing them to undici to ensure no duplicate Content-Length headers exist, considering case-insensitivity.'}, {'type': 'list_item', 'content': "Use the object format for headers (e.g., { 'content-length': '123' }) instead of arrays, as objects naturally deduplicate keys."}, {'type': 'list_item', 'content': 'Normalize header names to lowercase and reject duplicates when headers originate from user input.'}, {'type': 'paragraph', 'content': 'Additionally, enforcing strict and consistent HTTP parsing on intermediaries and backend servers, as well as configuring pages as non-cacheable and using SSL/TLS, can help reduce the risk of HTTP request smuggling attacks.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart