Description
When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-4992-7rv2-5pvq
- hackerone.com
- cna.openjsf.org
- CVE-2026-1527
- CWE-93
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter - CVE-2026-29793
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026