undici up to 6.25.x/7.27.x/8.4.x Cookies Feature permissive list of allowed inputs

Summaryinfo

A vulnerability was found in undici up to 6.25.x/7.27.x/8.4.x. It has been rated as problematic. Affected is an unknown function of the component Cookies Feature. This manipulation causes permissive list of allowed inputs. This vulnerability is registered as CVE-2026-11525. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in undici up to 6.25.x/7.27.x/8.4.x. It has been declared as problematic. Affected by this vulnerability is an unknown function of the component Cookies Feature. The manipulation with an unknown input leads to a permissive list of allowed inputs vulnerability. The CWE definition for the vulnerability is CWE-183. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. As an impact it is known to affect integrity. The summary by CVE is:

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict). Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide. This was introduced in undici 5.15.0 when the cookies feature was added. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-11525 since 06/07/2026. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

Upgrading to version 6.26.0, 7.28.0 or 8.5.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-37758). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• undici

Version

• 6.0
• 6.1
• 6.2
• 6.3
• 6.4
• 6.5
• 6.6
• 6.7
• 6.8
• 6.9
• 6.10
• 6.11
• 6.12
• 6.13
• 6.14
• 6.15
• 6.16
• 6.17
• 6.18
• 6.19
• 6.20
• 6.21
• 6.22
• 6.23
• 6.24
• 6.25
• 7.0
• 7.1
• 7.2
• 7.3
• 7.4
• 7.5
• 7.6
• 7.7
• 7.8
• 7.9
• 7.10
• 7.11
• 7.12
• 7.13
• 7.14
• 7.15
• 7.16
• 7.17
• 7.18
• 7.19
• 7.20
• 7.21
• 7.22
• 7.23
• 7.24
• 7.25
• 7.26
• 7.27
• 8.0
• 8.1
• 8.2
• 8.3
• 8.4

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion