Executive Summary

This vulnerability occurs in the undici HTTP client library when it parses the SameSite attribute in Set-Cookie headers. Instead of requiring an exact case-insensitive match to the standard values 'Strict', 'Lax', or 'None' as specified by RFC 6265, undici accepts any value containing these as substrings. For example, a value like 'SameSite=NoneOfYourBusiness' is incorrectly parsed as 'None', and 'SameSite=StrictLax' is parsed as 'Lax'.

Because of this permissive parsing, a malicious or non-compliant server can trick applications using undici into treating cookies with weaker SameSite policies than intended, potentially downgrading the security enforcement silently.

Useful 0 Not Useful 0

Impact Analysis

If your application uses undici to consume Set-Cookie headers and relies on the parsed SameSite attribute, this vulnerability can cause your application to accept weaker cookie policies than intended. This means cookies that should have stricter cross-site request protections might be downgraded to more permissive settings without your knowledge.

Such a downgrade can increase the risk of cross-site request forgery (CSRF) or other cross-site attacks by allowing cookies to be sent in contexts where they should be restricted.

The vulnerability has a low severity score (CVSS 3.7) and primarily impacts integrity, with no direct impact on confidentiality or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting Set-Cookie headers in HTTP responses processed by undici versions before 6.26.0, 7.28.0, or 8.5.0. Specifically, look for SameSite attribute values that contain substrings like 'Strict', 'Lax', or 'None' but are not exact matches, such as 'SameSite=NoneOfYourBusiness' or 'SameSite=StrictLax'.

To detect this on your system or network, you can capture HTTP traffic and filter Set-Cookie headers with suspicious SameSite attribute values.

• Use a network packet capture tool like tcpdump or Wireshark to capture HTTP responses.
• Run a command such as: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Set-Cookie'
• Use grep or similar tools to search for SameSite attributes that are not exactly 'Strict', 'Lax', or 'None' (case-insensitive). For example: grep -i 'SameSite=' | grep -viE 'SameSite=(Strict|Lax|None)'

Additionally, if you have access to application logs or code, verify the parsed SameSite attribute values after undici processes Set-Cookie headers to ensure they are exactly one of the allowed values.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade undici to a patched version: v6.26.0, v7.28.0, or v8.5.0.

If upgrading immediately is not possible, implement a workaround by validating the SameSite attribute after parsing any Set-Cookie header. Ensure that the attribute is exactly one of 'Strict', 'Lax', or 'None' (case-insensitive) before forwarding or relying on it.

This validation prevents non-standard or malicious SameSite values from silently downgrading cookie security policies.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a malicious or non-compliant server to coerce the consumer's view of a cookie's SameSite policy to a weaker value by permissive substring matching rather than exact matching as specified by RFC 6265.

Since the SameSite attribute controls cookie behavior related to cross-site request forgery (CSRF) protections and user privacy, weakening its enforcement could potentially degrade security controls that help meet regulatory requirements for data protection and privacy, such as GDPR and HIPAA.

However, the vulnerability has a low severity score (CVSS 3.7) and primarily impacts integrity without affecting confidentiality or availability directly.

To maintain compliance, affected applications should upgrade to patched versions or validate the SameSite attribute strictly to ensure it matches the exact allowed values, thereby preserving the intended cookie security policies.

Useful 0 Not Useful 0