CVE-2026-1525 Overview
CVE-2026-1525 is an HTTP Request Smuggling vulnerability in Undici, the popular Node.js HTTP client. The flaw allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire, violating RFC 9110 Section 8.6 which mandates that a request must not contain more than one Content-Length header field.
Critical Impact
This vulnerability can lead to HTTP Request Smuggling attacks enabling ACL bypass, cache poisoning, or credential hijacking when intermediary proxies and backend servers interpret duplicate headers inconsistently.
Affected Products
- Undici HTTP client library (applications using undici.request(), undici.Client, or similar low-level APIs)
- Node.js applications with headers passed as flat arrays
- Applications accepting user-controlled header names without case-normalization
Discovery Timeline
- 2026-03-12 - CVE-2026-1525 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-1525
Vulnerability Analysis
This vulnerability falls under CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). The root issue is that Undici's header processing logic fails to properly normalize and deduplicate Content-Length headers when they are specified with different letter cases in an array format.
When an application passes headers as a flat array containing both Content-Length and content-length (or other case variations), Undici transmits both headers in the outbound HTTP request. This creates a protocol violation that can be exploited in multi-tier architectures where different components handle the duplicate headers differently.
The attack surface includes applications using Undici's low-level APIs (undici.request(), undici.Client) where header arrays are constructed dynamically, particularly when header names are derived from user input without proper case normalization.
Root Cause
The vulnerability stems from insufficient input validation in Undici's header processing pipeline. HTTP header names are case-insensitive per the HTTP specification, but Undici's implementation treats case-variant header names as distinct entries when provided in array format. This allows multiple Content-Length headers to be emitted, each potentially with a different value, creating request ambiguity.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
Denial of Service: Strict HTTP parsers in proxies and servers will reject requests containing duplicate Content-Length headers with a 400 Bad Request response, disrupting legitimate application functionality.
HTTP Request Smuggling: In deployments where an intermediary (proxy, load balancer, WAF) and backend server interpret duplicate headers inconsistently—for example, one uses the first Content-Length value while the other uses the last—an attacker can smuggle additional requests. This enables ACL bypass, cache poisoning, and credential hijacking attacks.
The vulnerability is exploitable when applications construct headers from user input without normalizing header name case, allowing attackers to inject case-variant duplicate headers.
Detection Methods for CVE-2026-1525
Indicators of Compromise
- HTTP 400 Bad Request responses from upstream proxies or servers with error messages referencing duplicate or conflicting Content-Length headers
- Unusual cache behavior indicating potential cache poisoning attacks
- Authentication or authorization anomalies suggesting request smuggling exploitation
- Network traffic containing HTTP requests with multiple Content-Length headers
Detection Strategies
- Monitor application logs for increased 400-series error responses from backend services or proxies
- Implement HTTP protocol analyzers to detect malformed requests with duplicate singleton headers
- Review code paths where HTTP headers are constructed from user input or external data sources
- Deploy Web Application Firewalls (WAF) with rules to detect and block requests containing duplicate Content-Length headers
Monitoring Recommendations
- Enable verbose logging on reverse proxies and load balancers to capture header-related rejections
- Implement network-level monitoring for HTTP protocol violations
- Set up alerting for unusual patterns in cache hit/miss ratios that may indicate cache poisoning
- Monitor for request smuggling indicators such as unexpected request boundaries or cross-user data leakage
How to Mitigate CVE-2026-1525
Immediate Actions Required
- Review applications using Undici's low-level APIs (undici.request(), undici.Client) for header array usage
- Implement case-insensitive header deduplication before passing headers to Undici
- Validate and normalize all user-controlled header names to prevent case-variant injection
- Consider using Undici's object-based header format instead of flat arrays where possible
Patch Information
Consult the GitHub Security Advisory GHSA-2mjp-6q6p-2qxm for the latest patched version information and upgrade instructions. Additional details are available from the OpenJS Foundation Security Advisory and the original HackerOne Report #3556037.
Workarounds
- Implement a middleware layer to normalize header names to a consistent case (e.g., lowercase) before passing to Undici
- Add validation logic to reject or deduplicate headers when the same header appears multiple times with different casing
- Use object-based header configuration instead of array format to prevent duplicate key scenarios
- Deploy strict HTTP protocol enforcement at the proxy layer to reject requests with protocol violations
# Example: Update Undici to the latest patched version
npm update undici
# Or install a specific patched version
npm install undici@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
