SCA: security update for undici (GHSA-g8m3-5g58-fq7m)

low Tenable Cloud Security Plugin ID 443600

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains
Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265.
Non-spec values are silently mapped to one of the three standard tokens. For example,
SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is
parsed as Lax (a downgrade from Strict). Affected applications are those that consume Set-Cookie headers
from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the
parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a
cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is
supposed to provide. This was introduced in undici 5.15.0 when the cookies feature was added. Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie header, validate
that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive)
before forwarding or relying on it. (CVE-2026-11525)

Solution

Update the undici library and its related packages to version 6.27.0 or later.

See Also

https://github.com/advisories/GHSA-g8m3-5g58-fq7m

Plugin Details

Severity: Low

ID: 443600

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-11525

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 6/17/2026

Reference Information

CVE: CVE-2026-11525

cwe: CWE-183