Description
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using
undici.request(), `undici.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-2mjp-6q6p-2qxm
- hackerone.com
- cna.openjsf.org
- cwe.mitre.org
- www.rfc-editor.org
- CVE-2026-1525
- CWE-444
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- React Router has CSRF issue in Action/Server Action Request Processing - CVE-2026-22030
- Preact has JSON VNode Injection issue - CVE-2026-22028
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026