undici
CVE-2026-11525
LOW
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
AV:N because exploitation requires a network-accessible upstream server under attacker control; AC:H for that server-control prerequisite; PR:N as no client-side privileges are needed; I:L for integrity impact limited to SameSite policy downgrade; C and A remain N.
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.
This was introduced in undici 5.15.0 when the cookies feature was added.
Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds: After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.
AnalysisAI
SameSite attribute parsing in undici's cookie implementation uses substring matching instead of the case-insensitive exact match required by RFC 6265, enabling a malicious or non-compliant upstream server to silently downgrade a cookie's SameSite enforcement to a more permissive value. All undici installations from v5.15.0 onward through the unpatched release branches are affected when consuming Set-Cookie headers via undici's fetch or proxy code paths and forwarding or relying on the parsed sameSite attribute. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses undici v5.15.0 or later to consume Set-Cookie response headers from an upstream server - specifically via undici's fetch or proxy code paths - and then forwards or makes security decisions based on the parsed sameSite attribute value. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N is consistent with the nature of the flaw: network-accessible but requiring attacker control of an upstream server (AC:H), with impact limited to a silent integrity downgrade of cookie policy enforcement (I:L) and no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker controlling a malicious upstream server responds to an undici-based reverse proxy or fetch client with a Set-Cookie header containing 'SameSite=StrictLax'; undici parses this as SameSite=Lax, silently downgrading from the server's apparent intent of Strict enforcement. The consuming application forwards this weakened sameSite attribute to downstream clients, and a cross-site request that would have been blocked under correct Strict enforcement now succeeds, potentially undermining CSRF protections in applications that rely on the proxied cookie's SameSite policy. |
| Remediation | The primary fix is to upgrade undici to v6.26.0, v7.28.0, or v8.5.0, which implement spec-compliant case-insensitive exact matching for SameSite attribute values per RFC 6265. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com
Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t
Cross-origin request misrouting in undici (Node.js HTTP client) versions 7.23.0 through 8.1.0 occurs when Socks5ProxyAge
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform
Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response
Share
External POC / Exploit Code
Leaving vuln.today