CVE-2026-1525
Duplicate Content-Length Header Vulnerability in Undici Enables Request Smuggling
Publication date: 2026-03-12
Last updated on: 2026-03-19
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | undici | to 6.24.0 (exc) |
| nodejs | undici | From 7.0.0 (inc) to 7.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-1525 is a vulnerability in the Node.js HTTP client library undici that allows duplicate HTTP Content-Length headers when these headers are provided as an array with case-variant names (e.g., "Content-Length" and "content-length"). This results in malformed HTTP/1.1 requests containing multiple conflicting Content-Length values on the wire.'}, {'type': 'paragraph', 'content': 'This happens because undici does not normalize header names when headers are passed as flat arrays, allowing duplicates that violate HTTP protocol expectations.'}, {'type': 'paragraph', 'content': 'The vulnerability can cause strict HTTP parsers such as proxies or servers to reject requests with a 400 Bad Request error, leading to Denial of Service. More critically, in environments where intermediaries and backends interpret duplicate headers inconsistently (e.g., one uses the first Content-Length value and the other uses the last), this discrepancy enables HTTP request smuggling attacks.'}, {'type': 'paragraph', 'content': 'HTTP request smuggling can lead to serious security issues such as access control bypass, cache poisoning, or credential hijacking.'}] [2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The vulnerability can impact applications using undici's low-level APIs with headers passed as flat arrays or accepting user-controlled header names without case normalization."}, {'type': 'list_item', 'content': 'Denial of Service (DoS): Strict HTTP parsers will reject requests with duplicate Content-Length headers, causing 400 Bad Request errors and service disruption.'}, {'type': 'list_item', 'content': 'HTTP Request Smuggling: Inconsistent interpretation of duplicate Content-Length headers between intermediaries and backend servers can enable attackers to smuggle malicious requests.'}, {'type': 'list_item', 'content': 'Consequences of request smuggling include access control list (ACL) bypass, cache poisoning, and credential hijacking.'}] [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying malformed HTTP/1.1 requests that contain duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length"). Such requests may cause strict HTTP parsers to reject them or behave inconsistently.'}, {'type': 'paragraph', 'content': 'One approach is to monitor HTTP traffic for requests that include multiple Content-Length headers differing only by case. Network packet capture tools like tcpdump or Wireshark can be used to capture HTTP requests and inspect headers.'}, {'type': 'paragraph', 'content': 'Example commands to detect duplicate Content-Length headers in HTTP requests might include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80'"}, {'type': 'list_item', 'content': 'Using tshark (Wireshark CLI) to filter HTTP requests with multiple Content-Length headers: tshark -Y \'http.header matches "(?i)content-length"\' -T fields -e http.header'}, {'type': 'list_item', 'content': 'Using custom scripts or log analysis tools to parse HTTP request logs for duplicate Content-Length headers ignoring case.'}, {'type': 'paragraph', 'content': 'Additionally, static analysis of application code that uses undici.request(), undici.Client, or similar APIs can help detect if headers are passed as flat arrays with potential duplicates or if user-controlled headers are accepted without normalization.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the undici library to versions 6.24.0 or 7.24.0 and later, where this vulnerability is patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately feasible, the following workarounds are recommended:'}, {'type': 'list_item', 'content': 'Validate header names before passing them to undici to ensure no duplicate Content-Length headers exist, considering case-insensitivity.'}, {'type': 'list_item', 'content': "Use the object format for headers (e.g., { 'content-length': '123' }) instead of arrays, as objects naturally deduplicate keys."}, {'type': 'list_item', 'content': 'Normalize header names to lowercase and reject duplicates when headers originate from user input.'}, {'type': 'paragraph', 'content': 'Additionally, enforcing strict and consistent HTTP parsing on intermediaries and backend servers, as well as configuring pages as non-cacheable and using SSL/TLS, can help reduce the risk of HTTP request smuggling attacks.'}] [2, 3]