Permissive List of Allowed Inputs Affecting undici package, versions <6.27.0>=7.0.0 <7.28.0>=8.0.0 <8.5.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-UNDICI-17372758
  • published18 Jun 2026
  • disclosed17 Jun 2026
  • creditUnknown

Introduced: 17 Jun 2026

NewCVE-2026-11525  (opens in a new tab)
CWE-183  (opens in a new tab)

How to fix?

Upgrade undici to version 6.27.0, 7.28.0, 8.5.0 or higher.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcement by crafting a response with a non-standard SameSite value that is interpreted as a more permissive setting, potentially allowing cookies to be sent in cross-site requests.

Note: This is only exploitable if the application consumes Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forwards or relies on the parsed sameSite attribute.

Workaround

This vulnerability can be mitigated by validating that the parsed sameSite attribute is exactly 'Strict', 'Lax', or 'None' (case-insensitive) before relying on or forwarding it.

CVSS Base Scores

version 4.0
version 3.1