CVE-2026-11525 undici CVE debrief

Who should care

Developers and administrators using undici in Node.js applications, especially those handling Set-Cookie headers and relying on SameSite policies for security, should be aware of this vulnerability. Applications that consume Set-Cookie headers from server responses and then forward or rely on the parsed sameSite attribute are potentially affected.

Technical summary

The vulnerability lies in undici's parsing of Set-Cookie headers, where it accepts non-standard SameSite attribute values that contain 'Strict', 'Lax', or 'None' as substrings. This results in silent mapping to one of these standard tokens, potentially downgrading the SameSite enforcement. The issue was introduced in undici 5.15.0 with the addition of the cookies feature. Affected applications include those using undici's fetch or proxy code paths.

Defensive priority

Low

Recommended defensive actions

• Upgrade to undici v6.26.0, v7.28.0, or v8.5.0.
• After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.
• Review applications that consume Set-Cookie headers and rely on the parsed sameSite attribute.
• Ensure that any application using undici properly handles SameSite cookie policies.
• Monitor undici's official advisories for further guidance.

Evidence notes

The information provided is based on the CVE-2026-11525 record and related sources from the Node.js undici project and OpenJSF. The vulnerability details and impact assessment rely on these official sources.

Official resources