CVE-2026-6733: undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

June 19, 2026

Undici’s HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-35p6-xmwp-9g52
github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52
hackerone.com/reports/3582376
nvd.nist.gov/vuln/detail/CVE-2026-6733

Code Behaviors & Features

Detect and mitigate CVE-2026-6733 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →