PatchSiren cyber security CVE debrief
CVE-2026-9679 undici CVE debrief
The CVE record describes a vulnerability in undici's cookie parser. The parser percent-decodes cookie values via qsUnescape, which can lead to HTTP response header injection. This vulnerability was introduced in undici 7.0.0 and can be exploited by an attacker-controlled upstream. Affected applications are those that use undici's cookie parsing and forward the parsed cookie value into a response header. The vulnerability allows for session fixation, open redirect, or cache poisoning.
- Vendor
- undici
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-25
Who should care
Developers and administrators using undici's cookie parsing functionality in their applications, especially those that forward parsed cookie values into response headers, should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing and updating affected applications, and implementing compensating controls where necessary.
Technical summary
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. This can lead to HTTP response header injection, enabling session fixation, open redirect, or cache poisoning. The vulnerability was introduced in undici 7.0.0 via PR #3789. Affected applications are those that use undici's cookie parsing and forward the parsed cookie value into a response header, such as proxies, middleware, or SSR frameworks.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
- If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record and NVD detail provide information about the vulnerability, its impact, and the affected versions of undici. The vendor advisory and mitigation information are also available. Evidence limits suggest that further verification is required to confirm affected scope and severity. Defenders should verify undici's cookie parsing usage in their applications, especially those that forward parsed cookie values into response headers.
Official resources
-
CVE-2026-9679 CVE record
CVE.org
-
CVE-2026-9679 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory, Mitigation
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:06.307Z and has not been modified since then.