Executive Summary

CVE-2026-1527 is a moderate severity CRLF (Carriage Return Line Feed) injection vulnerability in the Node.js HTTP client library undici. It occurs when an application passes user-controlled input to the upgrade option of client.request().

Because undici writes the upgrade value directly to the socket without validating or sanitizing it for invalid header characters such as CRLF sequences (\r\n), an attacker can inject arbitrary HTTP headers or prematurely terminate the HTTP request.

This can enable HTTP request smuggling attacks or allow raw data to be sent to non-HTTP services like Redis, Memcached, or Elasticsearch.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject arbitrary HTTP headers or prematurely terminate HTTP requests, which can lead to HTTP request smuggling.

It also allows attackers to smuggle raw data to non-HTTP services such as Redis, Memcached, or Elasticsearch, potentially compromising confidentiality and integrity of data.

The attack requires low privileges and some user interaction but can affect the confidentiality and integrity of your system at a low level.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves injection of CRLF sequences into the upgrade option of client.request() in the undici HTTP client library. Detection involves identifying if user-controlled input is passed unsanitized to the upgrade header, potentially allowing HTTP header injection or request smuggling.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can monitor HTTP requests for unusual or malformed upgrade headers containing CR or LF characters. Network traffic inspection tools or proxy logs can help identify such anomalies.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a general approach includes using tools like tcpdump or Wireshark to capture HTTP traffic and grep or similar tools to search for suspicious upgrade headers. For example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'upgrade:'"}, {'type': 'list_item', 'content': 'Use a proxy or HTTP inspection tool to log and analyze headers for CRLF injection patterns.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs or code to check if the upgrade option is sanitized before being passed to client.request() can help detect potential vulnerability presence.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the undici library to version 6.24.0 or 7.24.0 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'As an immediate workaround, sanitize the input passed to the upgrade option to reject any values containing CR or LF characters. For example, implement a function that throws an error if such characters are detected before passing the value to client.request().'}, {'type': 'list_item', 'content': 'Upgrade undici to version 6.24.0 or 7.24.0+.'}, {'type': 'list_item', 'content': 'Sanitize the upgrade header input to disallow CRLF sequences, e.g.:'}, {'type': 'list_item', 'content': "function sanitizeUpgrade(value) { if (/[\r\n]/.test(value)) { throw new Error('Invalid upgrade value'); } return value; }"}, {'type': 'list_item', 'content': 'Use sanitized input when calling client.request({ upgrade: sanitizeUpgrade(userInput) });'}] [1]

Useful 0 Not Useful 0