AIKIDO-2026-48713
undici is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection')
59
Medium Risk
This Affects:
undiciTL;DR
undici's Set-Cookie parser percent-decodes cookie values with qsUnescape, turning encoded sequences such as %0D%0A, %00, %3B, and %3D into their literal bytes, even though RFC 6265 specifies no decoding. An application that parses a Set-Cookie header and forwards the parsed value into one of its own response headers can be tricked by a malicious upstream into injecting carriage-return and line-feed bytes and adding arbitrary Set-Cookie, Location, or Cache-Control headers. This enables HTTP response header injection leading to session fixation, open redirect, or cache poisoning. The fix stops percent-decoding cookie values during parsing.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
undici is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in versions 6.0.0 - 6.25.0, 7.0.0 - 7.27.2 and 8.0.0 - 8.4.1.
How to fix this
Upgrade the undici library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant