Undici
CVE-2026-9678
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable with no auth required for the attacker, but AC:H because three specific non-default deployment conditions must simultaneously align; no integrity or availability impact applies.
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.
Patches: Upgrade to undici v7.28.0 or v8.5.0.
Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.
AnalysisAI
Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response to be served to a subsequent, potentially unauthenticated, caller. Applications using Undici's explicit interceptors.cache() in shared mode that forward Authorization headers to an upstream which returns Cache-Control headers with whitespace-padded qualified directives (e.g., private=" authorization") are affected across all v7 versions prior to 7.28.0 and all v8 versions prior to 8.5.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all three of the following conditions to be true simultaneously: (1) Undici's cache interceptor is explicitly configured in shared mode via `interceptors.cache()` with shared-cache enabled - this is a deliberate, non-default developer choice, not an out-of-the-box behavior; (2) the application forwards client Authorization headers to the upstream HTTP server without stripping or transforming them; (3) the upstream server returns Cache-Control responses with whitespace-padded qualified private or no-cache field names - for example `Cache-Control: private=" authorization"` (space before field name) or `Cache-Control: no-cache=" authorization"` (tab before field name) - a non-canonical but RFC 9111-compliant format. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N yields a score of 5.9 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker issues an unauthenticated HTTP request to an application whose Undici client is configured with a shared cache interceptor and which forwards Authorization headers upstream. A prior legitimate user's request to the same endpoint caused Undici to store the upstream response in the shared cache because the upstream's `Cache-Control: private=" authorization"` header (with a padded space before the field name) bypassed the cache's exclusion check. … |
| Remediation | Upgrade to undici v7.28.0 or v8.5.0, which correct the whitespace-normalization logic in the cache interceptor's qualified directive parser; the advisory is at https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com
Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t
Cross-origin request misrouting in undici (Node.js HTTP client) versions 7.23.0 through 8.1.0 occurs when Socks5ProxyAge
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform
HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to se
Share
External POC / Exploit Code
Leaving vuln.today