Undici Duplicate Content-Length Header Vulnerability Leading to HTTP Request Smuggling

A vulnerability in Undici allows the inclusion of duplicate HTTP Content-Length headers when they are provided in an array with case-variant names, such as 'Content-Length' and 'content-length'. This results in malformed HTTP/1.1 requests with conflicting Content-Length values. The issue affects versions of Undici prior to 6.24.0 and between 7.0.0 and 7.24.0. The vulnerability impacts applications that use 'undici.request()', 'undici.Client', or similar low-level APIs with headers passed as flat arrays, as well as those that accept user-controlled header names without case normalization. The potential consequences include denial-of-service, as strict HTTP parsers will reject requests with duplicate Content-Length headers, and HTTP request smuggling, which can lead to cache poisoning, access control bypass, or credential hijacking.

Impact

Exploitation of this vulnerability can cause HTTP request smuggling, a form of attack where an intermediary server misinterprets HTTP headers, allowing malicious requests to be sent to a backend server or vice versa. This can disrupt normal application behavior and, in some cases, bypass security controls. Additionally, the vulnerability can cause a denial-of-service condition by leading to HTTP 400 Bad Request responses when strict HTTP parsers encounter the duplicate Content-Length headers.

Reproduction

The vulnerability can be reproduced by sending an HTTP request that includes duplicate 'Content-Length' headers with case variations. This can be done using a tool like Postman or curl, by crafting a request that specifies the 'Content-Length' header twice, once with the standard casing and once with a lowercase variant. The server or proxy should be one that adheres strictly to HTTP/1.1 standards, as it will reject the request with a '400 Bad Request' response, demonstrating the denial-of-service aspect of the vulnerability.

Remediation

Users can upgrade to Undici versions 6.24.0 or 7.24.0, where this vulnerability has been patched. If an immediate upgrade is not possible, header names should be validated to ensure no duplicate 'Content-Length' headers are present before passing them to Undici. Alternatively, headers can be passed as a plain object, which automatically deduplicates by key, or user input can be sanitized by normalizing header names to lowercase and rejecting duplicates.