Skip to main content

Red Hat EUVDEUVD-2026-11685

| CVE-2026-1525 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-03-12 ce714d77-add3-4f53-aff5-83d477b104bb GHSA-2mjp-6q6p-2qxm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 12, 2026 - 22:55 euvd
EUVD-2026-11685
Analysis Generated
Mar 12, 2026 - 22:55 vuln.today
CVE Published
Mar 12, 2026 - 20:16 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 npm packages depend on undici (16 direct, 23 indirect)

Ecosystem-wide dependent count for version 7.0.0.

DescriptionCVE.org

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential consequences:

  • Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  • HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

AnalysisAI

Undici fails to normalize HTTP header names when processing arrays, allowing duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length") to be sent in malformed requests. Applications using undici's low-level APIs with user-controlled header inputs are vulnerable to request rejection by strict HTTP parsers or potential HTTP request smuggling attacks if intermediaries and backend servers interpret conflicting header values inconsistently. No patch is currently available.

Technical ContextAI

Classified as CWE-444 (HTTP Request/Response Smuggling). Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential conseque

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

EUVD-2026-11685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy