{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T23:17:09.360","vulnerabilities":[{"cve":{"id":"CVE-2026-1525","sourceIdentifier":"ce714d77-add3-4f53-aff5-83d477b104bb","published":"2026-03-12T20:16:02.670","lastModified":"2026-03-19T17:29:34.053","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.\n\nWho is impacted:\n\n  *  Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays\n  *  Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)\n  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking"},{"lang":"es","value":"Undici permite encabezados HTTP Content-Length duplicados cuando se proporcionan en un array con nombres que varían en mayúsculas/minúsculas (p. ej., Content-Length y content-length). Esto produce solicitudes HTTP/1.1 malformadas con múltiples valores Content-Length conflictivos en la red.\n\nQuiénes son los afectados:\n\n  *  Aplicaciones que utilizan undici.request(), undici.Cliente, o APIs de bajo nivel similares con encabezados pasados como arrays planos\n  *  Aplicaciones que aceptan nombres de encabezado controlados por el usuario sin normalización de mayúsculas/minúsculas\n\nPosibles consecuencias:\n\n  *  Denegación de Servicio: Analizadores HTTP estrictos (proxies, servidores) rechazarán las solicitudes con encabezados Content-Length duplicados (400 Solicitud Incorrecta)\n  *  Contrabando de Solicitudes HTTP: En implementaciones donde un intermediario y un backend interpretan encabezados duplicados de manera inconsistente (p. ej., uno usa el primer valor, el otro usa el último), esto puede habilitar ataques de contrabando de solicitudes que conducen a la omisión de ACL, envenenamiento de caché o secuestro de credenciales"}],"metrics":{"cvssMetricV31":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionEndExcluding":"6.24.0","matchCriteriaId":"C08CE582-019D-4A06-910A-6010C2D6EF4F"},{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.24.0","matchCriteriaId":"F016E7D9-C45A-4DEF-9AD8-F0581AF5E509"}]}]}],"references":[{"url":"https://cna.openjsf.org/security-advisories.html","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Vendor Advisory"]},{"url":"https://cwe.mitre.org/data/definitions/444.html","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Technical Description"]},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Mitigation","Vendor Advisory"]},{"url":"https://hackerone.com/reports/3556037","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Permissions Required"]},{"url":"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6","source":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":["Technical Description"]}]}}]}