What is CVE-2026-11525?

CVE-2026-11525 is a low-severity vulnerability in Undici, classified under CWE-183. CVSS score: 3.7/10. Published 2026-06-17.

How severe is CVE-2026-11525?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Undici

CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently map…

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Undici — versions 0, 6.26.0, 7.0.0

Weakness classification (CWE)

CWE-183

References

ce714d77-add3-4f53-aff5-83d477b104bb
ce714d77-add3-4f53-aff5-83d477b104bb

Frequently asked questions

What is CVE-2026-11525?: CVE-2026-11525 is a low-severity vulnerability in Undici, classified under CWE-183. CVSS score: 3.7/10. Published 2026-06-17.
How severe is CVE-2026-11525?: Low severity. CVSS v3 base score is 3.7 out of 10.