Description
When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-4992-7rv2-5pvq
- hackerone.com
- cna.openjsf.org
- CVE-2026-1527
- CWE-93
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
You might also like:
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026