{ "threat_severity" : "Moderate", "public_date" : "2026-03-12T19:56:55Z", "bugzilla" : { "description" : "undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers", "id" : "2447144", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447144" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.\nWho is impacted:\n* Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays\n* Applications that accept user-controlled header names without case-normalization\nPotential consequences:\n* Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)\n* HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking", "A flaw was found in undici, a Node.js HTTP/1.1 client. A remote attacker could exploit this vulnerability by sending HTTP/1.1 requests that include duplicate Content-Length headers with different casing (e.g., \"Content-Length\" and \"content-length\"). This can lead to HTTP Request Smuggling, a technique where an attacker sends an ambiguous request that is interpreted differently by a proxy and a backend server. Successful exploitation could result in unauthorized access, cache poisoning, or credential hijacking. It may also cause a Denial of Service (DoS) if strict HTTP parsers reject the malformed requests." ], "statement" : "Moderate impact. A flaw in the undici Node.js HTTP/1.1 client allows for HTTP Request Smuggling or Denial of Service. This can occur in Red Hat products that use undici and process HTTP requests where user-controlled header names are not case-normalized, or headers are passed as flat arrays.", "affected_release" : [ { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:17789", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-openshift-console-plugin-rhel9:4.2.0-9" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:17789", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-rhel9:4.2.0-9" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-08T00:00:00Z", "advisory" : "RHSA-2026:7080", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs22-1:22.22.2-1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-13T00:00:00Z", "advisory" : "RHSA-2026:7675", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs24-1:24.14.1-2.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-04-09T00:00:00Z", "advisory" : "RHSA-2026:7310", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "nodejs22-1:22.22.2-2.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-08T00:00:00Z", "advisory" : "RHSA-2026:7123", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:22-8100020260331102257.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-13T00:00:00Z", "advisory" : "RHSA-2026:7670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:24-8100020260408131901.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-09T00:00:00Z", "advisory" : "RHSA-2026:7302", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:22-9070020260401095228.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-09T00:00:00Z", "advisory" : "RHSA-2026:7350", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:24-9070020260402152654.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:7983", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:22-9060020260409121057.rhel9" }, { "product_name" : "Red Hat Developer Hub 1.8", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9742", "cpe" : "cpe:/a:redhat:rhdh:1.8::el9", "package" : "rhdh/rhdh-hub-rhel9:1776784286" }, { "product_name" : "Red Hat Developer Hub 1.9", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13826", "cpe" : "cpe:/a:redhat:rhdh:1.9::el9", "package" : "rhdh/rhdh-hub-rhel9:1777903262" } ], "package_state" : [ { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed/lightspeed-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Will not fix", "package_name" : "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/code-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/code-sshd-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/openvsx-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Self-service automation portal 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-portal", "cpe" : "cpe:/a:redhat:ansible_portal:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1525\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1525\nhttps://cna.openjsf.org/security-advisories.html\nhttps://cwe.mitre.org/data/definitions/444.html\nhttps://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm\nhttps://hackerone.com/reports/3556037\nhttps://www.rfc-editor.org/rfc/rfc9110.html#section-8.6" ], "name" : "CVE-2026-1525", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }