Source: node-undici
Version: 7.18.2+dfsg+~cs3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-undici.
CVE-2026-1527[0]:
| ImpactWhen an application passes user-controlled input to
| the upgrade option of client.request(), an attacker can inject CRLF
| sequences (\r\n) to: * Inject arbitrary HTTP headers *
| Terminate the HTTP request prematurely and smuggle raw data to non-
| HTTP services (Redis, Memcached, Elasticsearch) The vulnerability
| exists because undici writes the upgrade value directly to the
| socket without validating for invalid header characters: //
| lib/dispatcher/client-h1.js:1121 if (upgrade) { header +=
| `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-1527
https://www.cve.org/CVERecord?id=CVE-2026-1527
[1] https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
