CVE Vulnerabilities

CVE-2026-6733

Time-of-check Time-of-use (TOCTOU) Race Condition

Published: Jun 17, 2026 | Modified: Jun 27, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
3.7 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Impact: Undicis HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.

Affected Software

NameVendorStart VersionEnd Version
UndiciNodejs*6.27.0 (excluding)
UndiciNodejs7.0.0 (including)7.28.0 (excluding)
UndiciNodejs8.0.0 (including)8.5.0 (excluding)
Red Hat Enterprise Linux 10RedHatnodejs24-1:24.18.0-1.el10_2*
Red Hat Enterprise Linux 10RedHatnodejs22-1:22.23.1-2.el10_2*
Red Hat Enterprise Linux 9RedHatnodejs:24-9080020260626074955.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:22-9080020260626075442.rhel9*
Node-undiciUbuntuquesting*

Potential Mitigations

References