HOMEVULNERABILITIESCVE-2026-1525
MEDIUM

CVE-2026-1525

CWE-444Published: March 12, 2026· Updated: Mar 12, 2026

6.5
CVSS v3.1
EPSS:0.04%probability of exploitation in 30 daysPercentile:12.4th

Official Description

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

* Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays

* Applications that accept user-controlled header names without case-normalization

Potential consequences:

* Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)

* HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

NVD Source

Technical Analysis

CVE-2026-1525 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityLow
AvailabilityLow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-1525
CVSS Score6.5 / 10
SeverityMEDIUM
WeaknessCWE-444
CISA KEVNo
EPSS (30d)0.04%
PublishedMar 12, 2026

Related CVEs (CWE-444)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-1525 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.