Upstream information

CVE-2026-1527 at MITRE

Description

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

* Inject arbitrary HTTP headers
* Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
CVSS detail CNA (openjs)
Base Score 4.6
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 9
  • nodejs >= 24.14.1-2.module+el9.7.0+24166+51c9666b
  • nodejs-devel >= 24.14.1-2.module+el9.7.0+24166+51c9666b
  • nodejs-docs >= 24.14.1-2.module+el9.7.0+24166+51c9666b
  • nodejs-full-i18n >= 24.14.1-2.module+el9.7.0+24166+51c9666b
  • nodejs-libs >= 24.14.1-2.module+el9.7.0+24166+51c9666b
  • nodejs-nodemon >= 3.0.3-3.module+el9.7.0+24166+51c9666b
  • nodejs-packaging >= 2021.06-6.module+el9.7.0+24166+51c9666b
  • nodejs-packaging-bundler >= 2021.06-6.module+el9.7.0+24166+51c9666b
  • npm >= 11.11.0-1.24.14.1.2.module+el9.7.0+24166+51c9666b
  • v8-13.6-devel >= 13.6.233.17-1.24.14.1.2.module+el9.7.0+24166+51c9666b
 Patchnames:
RHSA-2026:7350

SUSE Timeline for this CVE

CVE page created: Fri Mar 13 00:03:29 2026
CVE page last modified: Fri Apr 10 22:03:12 2026