CVE-2026-1525 (GCVE-0-2026-1525)

Vulnerability from cvelistv5 – Published: 2026-03-12 19:56 – Updated: 2026-03-12 20:46
VLAI?
Title
undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Summary
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE
  • CWE-444 - Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')
Assigner
References
Impacted products
Vendor Product Version
undici undici Affected: < 6.24.0; 7.0.0 < 7.24.0
Unaffected: 6.24.0: 7.24.0
Create a notification for this product.
Credits
Matteo Collina Ulises Gascón
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1525",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T20:44:24.555703Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T20:46:13.379Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/nodejs/undici/",
          "defaultStatus": "unaffected",
          "packageName": "undici",
          "product": "undici",
          "repo": "https://github.com/nodejs/undici/",
          "vendor": "undici",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.24.0; 7.0.0 \u003c 7.24.0"
            },
            {
              "status": "unaffected",
              "version": "6.24.0: 7.24.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Matteo Collina"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ulises Gasc\u00f3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUndici allows duplicate HTTP\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers when they are provided in an array with case-variant names (e.g.,\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;and\u0026nbsp;\u003ccode\u003econtent-length\u003c/code\u003e). This produces malformed HTTP/1.1 requests with multiple conflicting\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;values on the wire.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWho is impacted:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eApplications using\u0026nbsp;\u003ccode\u003eundici.request()\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eundici.Client\u003c/code\u003e, or similar low-level APIs with headers passed as flat arrays\u003c/li\u003e\u003cli\u003eApplications that accept user-controlled header names without case-normalization\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePotential consequences:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers (400 Bad Request)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eHTTP Request Smuggling\u003c/strong\u003e: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Undici allows duplicate HTTP\u00a0Content-Length\u00a0headers when they are provided in an array with case-variant names (e.g.,\u00a0Content-Length\u00a0and\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\u00a0Content-Length\u00a0values on the wire.\n\nWho is impacted:\n\n  *  Applications using\u00a0undici.request(),\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\n  *  Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u00a0Content-Length\u00a0headers (400 Bad Request)\n  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-33",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-33 HTTP Request Smuggling"
            }
          ]
        },
        {
          "capecId": "CAPEC-273",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-273 HTTP Response Smuggling"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T19:56:55.092Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm"
        },
        {
          "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/444.html"
        },
        {
          "url": "https://hackerone.com/reports/3556037"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "source": {
        "advisory": "GHSA-2mjp-6q6p-2qxm",
        "discovery": "INTERNAL"
      },
      "title": "undici is vulnerable to Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf upgrading is not immediately possible:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eValidate header names\u003c/strong\u003e: Ensure no duplicate\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers (case-insensitive) are present before passing headers to undici\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse object format\u003c/strong\u003e: Pass headers as a plain object (\u003ccode\u003e{ \u0027content-length\u0027: \u0027123\u0027 }\u003c/code\u003e) rather than an array, which naturally deduplicates by key\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSanitize user input\u003c/strong\u003e: If headers originate from user input, normalize header names to lowercase and reject duplicates\u003c/li\u003e\u003c/ol\u003e"
            }
          ],
          "value": "If upgrading is not immediately possible:\n\n  *  Validate header names: Ensure no duplicate\u00a0Content-Length\u00a0headers (case-insensitive) are present before passing headers to undici\n  *  Use object format: Pass headers as a plain object ({ \u0027content-length\u0027: \u0027123\u0027 }) rather than an array, which naturally deduplicates by key\n  *  Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-1525",
    "datePublished": "2026-03-12T19:56:55.092Z",
    "dateReserved": "2026-01-28T12:04:51.369Z",
    "dateUpdated": "2026-03-12T20:46:13.379Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-1525",
      "date": "2026-05-24",
      "epss": "0.00019",
      "percentile": "0.05283"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1525\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-03-12T20:16:02.670\",\"lastModified\":\"2026-03-19T17:29:34.053\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Undici allows duplicate HTTP\u00a0Content-Length\u00a0headers when they are provided in an array with case-variant names (e.g.,\u00a0Content-Length\u00a0and\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\u00a0Content-Length\u00a0values on the wire.\\n\\nWho is impacted:\\n\\n  *  Applications using\u00a0undici.request(),\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\\n  *  Applications that accept user-controlled header names without case-normalization\\n\\n\\nPotential consequences:\\n\\n  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u00a0Content-Length\u00a0headers (400 Bad Request)\\n  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\"},{\"lang\":\"es\",\"value\":\"Undici permite encabezados HTTP Content-Length duplicados cuando se proporcionan en un array con nombres que var\u00edan en may\u00fasculas/min\u00fasculas (p. ej., Content-Length y content-length). Esto produce solicitudes HTTP/1.1 malformadas con m\u00faltiples valores Content-Length conflictivos en la red.\\n\\nQui\u00e9nes son los afectados:\\n\\n  *  Aplicaciones que utilizan undici.request(), undici.Cliente, o APIs de bajo nivel similares con encabezados pasados como arrays planos\\n  *  Aplicaciones que aceptan nombres de encabezado controlados por el usuario sin normalizaci\u00f3n de may\u00fasculas/min\u00fasculas\\n\\nPosibles consecuencias:\\n\\n  *  Denegaci\u00f3n de Servicio: Analizadores HTTP estrictos (proxies, servidores) rechazar\u00e1n las solicitudes con encabezados Content-Length duplicados (400 Solicitud Incorrecta)\\n  *  Contrabando de Solicitudes HTTP: En implementaciones donde un intermediario y un backend interpretan encabezados duplicados de manera inconsistente (p. ej., uno usa el primer valor, el otro usa el \u00faltimo), esto puede habilitar ataques de contrabando de solicitudes que conducen a la omisi\u00f3n de ACL, envenenamiento de cach\u00e9 o secuestro de credenciales\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.24.0\",\"matchCriteriaId\":\"C08CE582-019D-4A06-910A-6010C2D6EF4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.24.0\",\"matchCriteriaId\":\"F016E7D9-C45A-4DEF-9AD8-F0581AF5E509\"}]}]}],\"references\":[{\"url\":\"https://cna.openjsf.org/security-advisories.html\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cwe.mitre.org/data/definitions/444.html\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/3556037\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Technical Description\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1525\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T20:44:24.555703Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T20:44:25.316Z\"}}], \"cna\": {\"title\": \"undici is vulnerable to Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\", \"source\": {\"advisory\": \"GHSA-2mjp-6q6p-2qxm\", \"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Matteo Collina\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Ulises Gasc\\u00f3n\"}], \"impacts\": [{\"capecId\": \"CAPEC-33\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-33 HTTP Request Smuggling\"}]}, {\"capecId\": \"CAPEC-273\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-273 HTTP Response Smuggling\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/nodejs/undici/\", \"vendor\": \"undici\", \"product\": \"undici\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.24.0; 7.0.0 \u003c 7.24.0\"}, {\"status\": \"unaffected\", \"version\": \"6.24.0: 7.24.0\"}], \"packageName\": \"undici\", \"collectionURL\": \"https://github.com/nodejs/undici/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm\"}, {\"url\": \"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6\"}, {\"url\": \"https://cwe.mitre.org/data/definitions/444.html\"}, {\"url\": \"https://hackerone.com/reports/3556037\"}, {\"url\": \"https://cna.openjsf.org/security-advisories.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"If upgrading is not immediately possible:\\n\\n  *  Validate header names: Ensure no duplicate\\u00a0Content-Length\\u00a0headers (case-insensitive) are present before passing headers to undici\\n  *  Use object format: Pass headers as a plain object ({ \u0027content-length\u0027: \u0027123\u0027 }) rather than an array, which naturally deduplicates by key\\n  *  Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIf upgrading is not immediately possible:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eValidate header names\u003c/strong\u003e: Ensure no duplicate\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers (case-insensitive) are present before passing headers to undici\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse object format\u003c/strong\u003e: Pass headers as a plain object (\u003ccode\u003e{ \u0027content-length\u0027: \u0027123\u0027 }\u003c/code\u003e) rather than an array, which naturally deduplicates by key\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSanitize user input\u003c/strong\u003e: If headers originate from user input, normalize header names to lowercase and reject duplicates\u003c/li\u003e\u003c/ol\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Undici allows duplicate HTTP\\u00a0Content-Length\\u00a0headers when they are provided in an array with case-variant names (e.g.,\\u00a0Content-Length\\u00a0and\\u00a0content-length). This produces malformed HTTP/1.1 requests with multiple conflicting\\u00a0Content-Length\\u00a0values on the wire.\\n\\nWho is impacted:\\n\\n  *  Applications using\\u00a0undici.request(),\\u00a0undici.Client, or similar low-level APIs with headers passed as flat arrays\\n  *  Applications that accept user-controlled header names without case-normalization\\n\\n\\nPotential consequences:\\n\\n  *  Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\\u00a0Content-Length\\u00a0headers (400 Bad Request)\\n  *  HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUndici allows duplicate HTTP\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers when they are provided in an array with case-variant names (e.g.,\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;and\u0026nbsp;\u003ccode\u003econtent-length\u003c/code\u003e). This produces malformed HTTP/1.1 requests with multiple conflicting\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;values on the wire.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWho is impacted:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eApplications using\u0026nbsp;\u003ccode\u003eundici.request()\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eundici.Client\u003c/code\u003e, or similar low-level APIs with headers passed as flat arrays\u003c/li\u003e\u003cli\u003eApplications that accept user-controlled header names without case-normalization\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePotential consequences:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: Strict HTTP parsers (proxies, servers) will reject requests with duplicate\u0026nbsp;\u003ccode\u003eContent-Length\u003c/code\u003e\u0026nbsp;headers (400 Bad Request)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eHTTP Request Smuggling\u003c/strong\u003e: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444 Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-03-12T19:56:55.092Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1525\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T20:46:13.379Z\", \"dateReserved\": \"2026-01-28T12:04:51.369Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-03-12T19:56:55.092Z\", \"assignerShortName\": \"openjs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.