MEDIUM 5.9

GHSA-p88m-4jfj-68fv

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Details

## Impact

undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a `Set-Cookie` header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary `Set-Cookie`, `Location`, or `Cache-Control` headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (`parseSetCookie`, `parseCookie`, `getSetCookies`) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 via [#3789](https://github.com/nodejs/undici/pull/3789).

## Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

## Workarounds

If upgrade is not immediately possible, do not forward values returned by `parseSetCookie`/`parseCookie`/`getSetCookies` directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, `;`, and `=` bytes.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / undici

Introduced in: 0 Fixed in: 6.27.0

Fix npm install undici@6.27.0

npm / undici

Introduced in: 7.0.0 Fixed in: 7.28.0

Fix npm install undici@7.28.0

npm / undici

Introduced in: 8.0.0 Fixed in: 8.5.0

Fix npm install undici@8.5.0

References

https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-9679 [ADVISORY]
https://cna.openjsf.org/security-advisories.html [WEB]
https://github.com/nodejs/undici [PACKAGE]