Skip to main content

Open Redirect CVE-2026-9679

MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-17 openjs
Open Redirect Undici
5.9
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from Vendor (openjs) · only source for this CVE.

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:09 vuln.today

DescriptionCVE.org

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 via PR #3789.

Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds: If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.

AnalysisAI

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to session fixation, open redirect, and cache poisoning. The parseSetCookie, parseCookie, and getSetCookies functions incorrectly percent-decode cookie values using qsUnescape, converting encoded sequences such as %0D%0A into literal CRLF bytes in violation of RFC 6265 §5.4, which prescribes no such decoding. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-50089 MEDIUM
6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
CVE-2026-10837 MEDIUM
5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM
5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2025-32748 MEDIUM
4.3 Jun 17

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects

Share

CVE-2026-9679 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy