Skip to main content

Undici CVE-2026-6733

LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-17 openjs
Code Injection Undici
3.7
CVSS 3.1 · Vendor: openjs

Severity by source

Vendor (openjs) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

Upstream server control is a genuine non-trivial prerequisite (AC:H); no client-side privileges are required (PR:N); impact is limited to response integrity misrouting with no confidentiality or availability consequence.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:11 vuln.today

DescriptionCVE.org

Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

AnalysisAI

Response queue poisoning in Undici's HTTP/1.1 client allows an attacker-controlled or compromised upstream server to inject unsolicited HTTP responses onto idle keep-alive sockets, causing subsequent outbound requests to receive falsified responses. All Undici versions across the v6, v7, and v8 branches prior to the patched releases are affected when keep-alive connection reuse is active (the default). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of upstream HTTP/1.1 server
Delivery
Complete legitimate request/response cycle
Exploit
Inject unsolicited HTTP response onto idle keep-alive socket
Execution
Client dispatches next request on same socket
Persist
Injected response associated with new request
Impact
Application receives attacker-controlled data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control or have compromised the upstream HTTP/1.1 server that the Undici client is communicating with - this is the primary limiting factor and the basis for the AC:H CVSS rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 3.7 with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N accurately captures the limited but real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a backend HTTP/1.1 server targeted by an Undici client responds normally to an initial request, then immediately writes a crafted HTTP response frame onto the now-idle keep-alive socket before it is returned to the pool. When the Undici client dispatches the next unrelated request on that socket, it reads the injected response and delivers the attacker-controlled data to the application as if it were the legitimate reply - potentially poisoning caches, forging authentication tokens, or corrupting business logic outputs. …
Remediation Upgrade Undici to v6.26.0, v7.28.0, or v8.5.0 depending on the currently deployed major branch; these are the vendor-confirmed fixed releases per the GitHub Security Advisory GHSA-35p6-xmwp-9g52. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12151 HIGH
7.5 Jun 17

Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com
CVE-2026-9675 HIGH
7.5 Jun 17

Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t
CVE-2026-6734 HIGH
7.5 Jun 17

Cross-origin request misrouting in undici (Node.js HTTP client) versions 7.23.0 through 8.1.0 occurs when Socks5ProxyAge
CVE-2026-9697 HIGH
7.4 Jun 17

TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform
CVE-2026-9678 MEDIUM
5.9 Jun 17

Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response

Share

CVE-2026-6733 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy