PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9679 undici CVE debrief

The CVE record describes a vulnerability in undici's cookie parser. The parser percent-decodes cookie values via qsUnescape, which can lead to HTTP response header injection. This vulnerability was introduced in undici 7.0.0 and can be exploited by an attacker-controlled upstream. Affected applications are those that use undici's cookie parsing and forward the parsed cookie value into a response header. The vulnerability allows for session fixation, open redirect, or cache poisoning.

Vendor
undici
Product
Unknown
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-25
Advisory published
2026-06-17
Advisory updated
2026-06-25

Who should care

Developers and administrators using undici's cookie parsing functionality in their applications, especially those that forward parsed cookie values into response headers, should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing and updating affected applications, and implementing compensating controls where necessary.

Technical summary

undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. This can lead to HTTP response header injection, enabling session fixation, open redirect, or cache poisoning. The vulnerability was introduced in undici 7.0.0 via PR #3789. Affected applications are those that use undici's cookie parsing and forward the parsed cookie value into a response header, such as proxies, middleware, or SSR frameworks.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
  • If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record and NVD detail provide information about the vulnerability, its impact, and the affected versions of undici. The vendor advisory and mitigation information are also available. Evidence limits suggest that further verification is required to confirm affected scope and severity. Defenders should verify undici's cookie parsing usage in their applications, especially those that forward parsed cookie values into response headers.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:06.307Z and has not been modified since then.