CVE-2025-9679: undici HTTP Response Header Injection via Set-Cookie

Vulnerability Overview Vulnerability Name: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding CVE ID: CVE-2025-9679 CVSS v3 base metrics: 5.9 / 10 Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High Affected Scope Affected Versions: < 6.26.0, 7.0.0 < 7.28.0, 8.0.0 < 6.26.0, 7.28.0, 8.0.0 < 8.5.0 Impact Description: undici's cookie parser performs percent-decoding on cookie values in using , converting encoded sequences such as , , , and into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding, and browsers do not decode them either. Specific Impact: Applications that parse the header and forward the parsed values to response headers (proxies, middleware, SSR frameworks) are susceptible to HTTP response header injection attacks. An attacker-controlled upstream can inject arbitrary , , or headers into the application's downstream responses, enabling session fixation, open redirection, or cache poisoning. Affected Applications: Applications using undici's cookie parsing ( , , ) that forward the parsed cookie values to response headers. Remediation Patch Version: Upgrade to undici v6.26.0, v7.28.0, or v8.5.0. Temporary Workaround: If an immediate upgrade is not possible, do not directly forward the values returned by , , or to response headers; sanitize the values to allow only CR, LF, NULL, , and bytes before forwarding. POC Code or Exploit Code No specific POC code or exploit code is provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-9679: undici HTTP Response Header Injection via Set-Cookie

More from this source