NVD - CVE-2026-1527 (original) (raw)
Initial Analysis by NIST 3/20/2026 11:49:31 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* versions up to (excluding) 6.24.0 *cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* versions from (including) 7.0.0 up to (excluding) 7.24.0 | |
| Added | Reference Type | openjs: https://cna.openjsf.org/security-advisories.html Types: Vendor Advisory | |
| Added | Reference Type | openjs: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq Types: Mitigation, Patch, Vendor Advisory | |
| Added | Reference Type | openjs: https://hackerone.com/reports/3487198 Types: Permissions Required |
New CVE Received from openjs 3/12/2026 5:16:25 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` } | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | |
| Added | CWE | CWE-93 | |
| Added | Reference | https://cna.openjsf.org/security-advisories.html | |
| Added | Reference | https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq | |
| Added | Reference | https://hackerone.com/reports/3487198 |