CVE-2026-1527 Overview
CVE-2026-1527 is a CRLF (Carriage Return Line Feed) injection vulnerability in the Node.js undici HTTP client library. The flaw exists in the upgrade option of client.request(), which writes user-supplied values directly to the socket without validating header characters. Attackers who control the upgrade input can inject \r\n sequences to add arbitrary HTTP headers or smuggle raw protocol data to backend services such as Redis, Memcached, and Elasticsearch. The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences).
Critical Impact
An authenticated attacker passing controlled input to the upgrade option can inject HTTP headers and smuggle data to non-HTTP services reachable by the application.
Affected Products
- Node.js undici HTTP client library
- Applications that pass user-controlled input to the upgrade option of client.request()
- Backend services reachable through undici connections (Redis, Memcached, Elasticsearch)
Discovery Timeline
- 2026-03-12 - CVE-2026-1527 published to the National Vulnerability Database (NVD)
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-1527
Vulnerability Analysis
The vulnerability resides in undici's HTTP/1 client dispatcher. When an application passes a value to the upgrade option of client.request(), the library concatenates that value into the raw HTTP request line without sanitizing control characters. The relevant code in lib/dispatcher/client-h1.js appends the upgrade value directly between connection: upgrade\r\n and a trailing \r\n.
Because the value is not validated, an attacker who controls the input can include \r\n sequences to terminate the upgrade header and insert arbitrary headers, a request body, or even an entirely different protocol payload. This results in HTTP header injection and, when the destination socket speaks a line-based protocol, request smuggling against internal services.
Root Cause
The root cause is missing input validation on header field values [CWE-93]. The upgrade parameter is treated as a trusted header value and written verbatim to the socket. Standard header injection defenses require rejecting or escaping CR (\r, 0x0D) and LF (\n, 0x0A) octets in any user-controlled header component.
Attack Vector
Exploitation requires the attacker to influence the upgrade argument passed to undici's client.request(). An attacker supplies a payload such as websocket\r\nX-Injected: attacker\r\n\r\nGET /admin to add headers, prematurely end the HTTP request, and append additional raw bytes interpreted by the downstream service. When undici is pointed at internal Redis, Memcached, or Elasticsearch listeners, the smuggled bytes can execute commands against those services from the application's network position. User interaction is required and the attacker must already have authenticated access to the calling application.
The vulnerable behavior is described in the GitHub Security Advisory GHSA-4992 and the HackerOne Security Report #3487198. No public proof-of-concept exploit is currently listed in Exploit-DB.
Detection Methods for CVE-2026-1527
Indicators of Compromise
- Outbound HTTP requests from Node.js services containing literal \r\n sequences inside the Upgrade header value
- Unexpected commands appearing in Redis, Memcached, or Elasticsearch logs originating from application service accounts
- HTTP responses logged with duplicate or attacker-controlled headers that the application did not intend to send
Detection Strategies
- Inventory Node.js applications using undici and grep source code for client.request( and upgrade: to locate call sites accepting external input
- Inspect application logs and egress proxy logs for outbound requests whose Upgrade header contains control characters or unexpected colons
- Run software composition analysis (SCA) against package-lock.json and yarn.lock to flag vulnerable undici versions referenced by the advisory
Monitoring Recommendations
- Forward outbound HTTP egress logs and Redis/Memcached/Elasticsearch access logs into a central data lake and alert on protocol anomalies from application IP ranges
- Monitor process telemetry for Node.js workloads making unexpected connections to internal datastore ports
- Track dependency manifests in CI/CD to alert when a vulnerable undici version is introduced or remains pinned
How to Mitigate CVE-2026-1527
Immediate Actions Required
- Upgrade undici to the fixed version identified in GHSA-4992-7rv2-5pvq
- Audit every call to client.request() and remove or strictly validate any user input flowing into the upgrade option
- Restrict egress from Node.js services so they cannot reach internal Redis, Memcached, or Elasticsearch instances directly when not required
Patch Information
The maintainers published a patched release through the OpenJS Foundation. Refer to the OpenJS Foundation Security Advisories and GitHub Security Advisory GHSA-4992 for the exact fixed version and changelog entry. Update the undici dependency and rebuild lockfiles across all affected services.
Workarounds
- Reject any external value containing \r, \n, or \0 before passing it to undici
- Hardcode the upgrade value (for example, websocket) instead of constructing it from request parameters
- Place an HTTP egress proxy in front of Node.js services to normalize headers and drop requests with control characters
# Update undici to the patched release
npm install undici@latest
# Verify the resolved version
npm ls undici
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
