Inlay

//

Post

🚨 Medium-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released! Patches CVE-2026-9679. undici vulnerable to HTTP header injection via Set-Cookie percent-decoding. github.com/nodejs/undic...

1d

## Impact undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equi...

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

github.com

Ulises Gascón