CVE-2026-6733
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: openjs

Description
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-6733
EUVD
EUVD-2026-37769
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
nodejs undici 6.26.0
nodejs undici 7.28.0
nodejs undici 8.5.0
nodejs undici to 6.26.0 (exc)
nodejs undici From 7.0.0 (inc) to 7.28.0 (exc)
nodejs undici From 8.0.0 (inc) to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in undici's HTTP/1.1 client involves response queue poisoning that can cause responses to be delivered to the wrong requests. However, it has no impact on confidentiality and only a low impact on integrity, with no effect on availability.

Given the lack of confidentiality impact, this vulnerability is unlikely to directly cause violations of data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive data confidentiality and integrity.

Nevertheless, any integrity issues in HTTP responses could potentially affect the reliability of data exchanges, so organizations should apply patches or workarounds to maintain compliance and ensure secure communications.

Executive Summary

CVE-2026-6733 affects the undici HTTP/1.1 client library and involves a response queue poisoning vulnerability related to reused keep-alive sockets.

An attacker who controls or has compromised an upstream HTTP/1.1 server can inject unsolicited HTTP responses onto an idle socket after a request completes.

When the client sends the next request on that same socket, it mistakenly associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This issue arises due to the reuse of keep-alive connections and is classified as a Time-of-check Time-of-use (TOCTOU) race condition.

Impact Analysis

This vulnerability can cause the client to receive incorrect HTTP responses that were injected by an attacker-controlled upstream server.

The impact is primarily on data integrity, as responses may be mismatched with requests, potentially leading to incorrect application behavior.

The vulnerability has a low severity rating with a CVSS score of 3.7, indicating limited impact.

It does not affect confidentiality or availability, and does not require privileges or user interaction to be exploited.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the undici HTTP/1.1 client library to version 6.26.0, 7.28.0, or 8.5.0 where the issue is patched.

As a workaround, you can disable keep-alive connection reuse by setting the keepAliveTimeout option to 0 on the Client or Pool.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart