CVE-2026-6733
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Description
Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
INFO
Published Date :
June 17, 2026, 5:14 p.m.
Last Modified :
June 17, 2026, 5:14 p.m.
Remotely Exploit :
Yes !
Source :
openjs
Affected Products
The following products are affected by CVE-2026-6733
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | LOW | ce714d77-add3-4f53-aff5-83d477b104bb | ||||
| CVSS 3.1 | LOW | MITRE-CVE |
Solution
- Upgrade to Undici v6.26.0, v7.28.0, or v8.5.0.
- Set keepAliveTimeout to 0 on Client or Pool.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-6733 vulnerability anywhere in the article.