Source: node-undici Version: 7.18.2+dfsg+~cs3.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-undici. CVE-2026-1525[0]: | Undici allows duplicate HTTP Content-Length headers when they are | provided in an array with case-variant names (e.g., Content- | Length and content-length). This produces malformed HTTP/1.1 | requests with multiple conflicting Content-Length values on the | wire. Who is impacted: * Applications | using undici.request(), undici.Client, or similar low-level APIs | with headers passed as flat arrays * Applications that accept | user-controlled header names without case-normalization Potential | consequences: * Denial of Service: Strict HTTP parsers (proxies, | servers) will reject requests with duplicate Content-Length headers | (400 Bad Request) * HTTP Request Smuggling: In deployments where | an intermediary and backend interpret duplicate headers | inconsistently (e.g., one uses the first value, the other uses the | last), this can enable request smuggling attacks leading to ACL | bypass, cache poisoning, or credential hijacking If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-1525 https://www.cve.org/CVERecord?id=CVE-2026-1525 [1] https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm Please adjust the affected versions in the BTS as needed. Regards, Salvatore
