Compliance Impact

This vulnerability enables HTTP response header injection, allowing attackers to inject malicious headers such as Set-Cookie, Location, or Cache-Control. Such attacks can lead to session fixation, open redirects, or cache poisoning, which may compromise data integrity and user session security.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to manipulate HTTP headers and potentially hijack sessions or redirect users could lead to violations of data protection and privacy requirements mandated by these regulations.

Therefore, organizations using affected versions of undici without proper mitigation may face increased risk of non-compliance due to potential unauthorized access or data manipulation.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in undici's cookie parser functions (parseSetCookie, parseCookie, getSetCookies), which percent-decode cookie values including sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. This behavior is not compliant with RFC 6265 §5.4, which does not specify such decoding, and browsers do not perform this decoding either.

Because of this decoding, applications that parse a Set-Cookie header and then forward the parsed value into response headers (such as proxies, middleware, or server-side rendering frameworks) become vulnerable to HTTP response header injection. An attacker controlling upstream input can inject arbitrary headers like Set-Cookie, Location, or Cache-Control into downstream responses.

This vulnerability was introduced in undici version 7.0.0 and can lead to attacks such as session fixation, open redirect, or cache poisoning.

Useful 0 Not Useful 0

Impact Analysis

If your application uses undici's cookie parsing functions and forwards the parsed cookie values directly into response headers without sanitization, an attacker could exploit this vulnerability to inject malicious HTTP headers.

• Session fixation: attackers can manipulate session cookies to hijack user sessions.
• Open redirect: attackers can inject Location headers to redirect users to malicious sites.
• Cache poisoning: attackers can inject Cache-Control headers to manipulate caching behavior, potentially serving malicious content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when applications using undici's cookie parsing functions (parseSetCookie, parseCookie, getSetCookies) forward decoded cookie values directly into response headers, allowing HTTP response header injection.

To detect this vulnerability on your system or network, you should check if your application uses vulnerable versions of undici (versions prior to 6.26.0, between 7.0.0 and 7.28.0, or between 8.0.0 and 8.5.0) and if it forwards parsed cookie values directly into response headers without sanitization.

There are no specific commands provided in the available information to detect this vulnerability directly.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade undici to a fixed version: v6.26.0, v7.28.0, or v8.5.0.

If upgrading immediately is not possible, do not forward values returned by parseSetCookie, parseCookie, or getSetCookies directly into response headers.

Instead, sanitize these values first to strip or reject carriage return (CR), line feed (LF), null (NUL), semicolon (;), and equals (=) bytes to prevent HTTP response header injection.

Useful 0 Not Useful 0