Your message dated Mon, 23 Mar 2026 12:07:36 +0000
with message-id <[email protected]>
and subject line Bug#1130882: fixed in node-undici 7.24.5+dfsg+~cs3.2.0-1
has caused the Debian Bug report #1130882,
regarding node-undici: CVE-2026-1527
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-undici
Version: 7.18.2+dfsg+~cs3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-undici.
CVE-2026-1527[0]:
| ImpactWhen an application passes user-controlled input to
| the upgrade option of client.request(), an attacker can inject CRLF
| sequences (\r\n) to: * Inject arbitrary HTTP headers *
| Terminate the HTTP request prematurely and smuggle raw data to non-
| HTTP services (Redis, Memcached, Elasticsearch) The vulnerability
| exists because undici writes the upgrade value directly to the
| socket without validating for invalid header characters: //
| lib/dispatcher/client-h1.js:1121 if (upgrade) { header +=
| `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-1527
https://www.cve.org/CVERecord?id=CVE-2026-1527
[1] https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-undici
Source-Version: 7.24.5+dfsg+~cs3.2.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-undici package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Mar 2026 12:45:37 +0100
Source: node-undici
Architecture: source
Version: 7.24.5+dfsg+~cs3.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1105860 1130879 1130880 1130882 1130883 1130884 1130885
Changes:
node-undici (7.24.5+dfsg+~cs3.2.0-1) unstable; urgency=medium
.
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* New upstream version 7.24.5+dfsg+~cs3.2.0
Fixes: CVE-2026-2581, CVE-2026-2229, CVE-2026-1528, CVE-2026-1527,
CVE-2026-1526, CVE-2026-1525, CVE-2025-47279.
Closes: #1130885, #1130884, #1130883, #1130882, #1130880, #1130879,
#1105860.
Checksums-Sha1:
5b78ede1f4c0acbb34a37b4c64a199b8748ffc2f 2681
node-undici_7.24.5+dfsg+~cs3.2.0-1.dsc
1e975bdeff806d9ffb1cb822539a2d74b6b5ac17 40048
node-undici_7.24.5+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
af7f1218477261436d447089f67b039dfb3033e0 579500
node-undici_7.24.5+dfsg+~cs3.2.0.orig.tar.xz
ecd358b8907880a0817500a2d61e0d912ec42649 213448
node-undici_7.24.5+dfsg+~cs3.2.0-1.debian.tar.xz
Checksums-Sha256:
fa9a5d25afb920a5595917634df207365986ec1a069411a176e6abb9e290c024 2681
node-undici_7.24.5+dfsg+~cs3.2.0-1.dsc
38d43f2df5ac3dcf51cc5a9866973fe5951f90bd44d9fab8dbf0dc2ed0f025f3 40048
node-undici_7.24.5+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
7535677684926f869e80e5726e19f54ce2bae7dccd837cc9a23295829721e59b 579500
node-undici_7.24.5+dfsg+~cs3.2.0.orig.tar.xz
bd6298d823398b3f05962a82de9a350755aa25dcab09c24967c585e46490c271 213448
node-undici_7.24.5+dfsg+~cs3.2.0-1.debian.tar.xz
Files:
268f2ffd94876ce8020dc75405155650 2681 javascript optional
node-undici_7.24.5+dfsg+~cs3.2.0-1.dsc
a03285069cc3d8477877fba2f1eabf2f 40048 javascript optional
node-undici_7.24.5+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
eb0c9ce0438a3575c96d5dc6c717d218 579500 javascript optional
node-undici_7.24.5+dfsg+~cs3.2.0.orig.tar.xz
00fd160dc71e8fdebd12dec4bd969764 213448 javascript optional
node-undici_7.24.5+dfsg+~cs3.2.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnBKDQACgkQ9tdMp8mZ
7umCCQ//U9pmq46b8gocqQ3e6/kYeoN/8PoFmIr4k/7JKkCerlz0Q3BzNtujZX4r
hM8tpy5tpP8ZlL8/fpVgyXvsQC3CCD/yLjlxrn3n0kek8LUACAd66UU2HqtCvbdk
58c890LXKNU8wYSl1G3C0bmtMYdvX1e+K9XwYPia5Aoy2/K0x3c+e+HVjIaOgXJo
zMmyGDDGv7g5sByMIG7Uf9tnXy0ckmitwwKAGd7A/OgZSHmE7JmMEIU21glHAtAt
RNfgxOJI7bf/7UeNc/BKD1gTEOfmanxia238gabhV4F9jW1XWzEeJOOeFrAr8Z3c
Hc3xuAl5f1lvhEyBoosNCCXQXX74+RP3MyDpUDpK/ve0ktUzHa39ADcaeOHT2BoN
gk+52wLEHGLNMOMX2xqw5wnm2h+VN0C3VLwUTzuwwgh1AwXHU0wU6vQk2UcQOzGZ
uw3lPVLbgTIEFRmcLSbfSCrojmcom2rSw+ZeJit5GwPLZgrbVVskjx5T/31XqgJS
RYM61HZEbIPf3sQG64sVMxCfqA0z2/cdofaL/PzgQ+N1GLqkaPPNx54ENhWYDwjy
rbHtZDQaMmNigaC9Sy8qYb1C+0b9xtiM5Yhm/ckNWWHEI2ZS9wGmaUIELhKoXJOw
t77jQswfZpQcniHM0kAUo/wA9VLuT0K9RYTsHcwkol+AyhlGcaE=
=vM9Q
-----END PGP SIGNATURE-----
pgplE7AWerTwH.pgp
Description: PGP signature
--- End Message ---
