CVE Tools
Sign in

CVE-2026-11525

undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Published: Jun 17, 2026Updated: Jun 17, 2026 Sources: CVE List NVDCWE-183
NVD MITRE
3.7CVSSLOW
EPSS Score
0.2%
Top 90.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
No Fix Available

Description

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict). Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide. This was introduced in undici 5.15.0 when the cookies feature was added. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:NS:UC:NI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-183

Affected Products

undiciundici
On-prem
OSS Libraries / npm
undicioss-projectOSS Librariesaka undici

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

References

https://cna.openjsf.org/security-advisories.html
cna.openjsf.org
https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m
github.com

Timeline

Published
Jun 17, 2026
Last Updated
Jun 17, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-11525 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows