CVE-2026-1526
Unbounded Memory Consumption DoS in undici WebSocket Client
Publication date: 2026-03-12
Last updated on: 2026-03-20
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | undici | to 6.24.0 (exc) |
| nodejs | undici | From 7.0.0 (inc) to 7.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects the undici WebSocket client library when it uses the permessage-deflate extension to decompress incoming compressed WebSocket frames.'}, {'type': 'paragraph', 'content': 'The issue lies in the PerMessageDeflate.decompress() method, which decompresses incoming data without enforcing any limit on the size of the decompressed output.'}, {'type': 'paragraph', 'content': 'A malicious WebSocket server can exploit this by sending a small compressed frame that expands into a very large amount of data in memory, known as a "decompression bomb."'}, {'type': 'paragraph', 'content': 'This causes the Node.js process using undici to consume excessive memory, potentially crashing or becoming unresponsive due to memory exhaustion.'}] [1]
How can this vulnerability impact me? :
The vulnerability can lead to a remote denial-of-service (DoS) attack against any Node.js application using the undici WebSocket client.
By sending a specially crafted compressed frame, an attacker can cause the application to consume unbounded memory, exhausting native or external memory resources.
This memory exhaustion can cause the Node.js process to crash or become unresponsive, disrupting service availability.
There are no application-level mitigations or workarounds because the decompression happens before message delivery.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability because the issue occurs during the decompression of WebSocket frames within the undici WebSocket client. The attack involves a malicious server sending a small compressed frame that expands to a very large size in memory, causing the Node.js process to exhaust memory and crash or become unresponsive.
Since the vulnerability manifests as unbounded memory consumption and process crashes or unresponsiveness, monitoring Node.js application memory usage and crash logs may help detect exploitation attempts.
No application-level mitigations or workarounds exist because decompression happens before message delivery, and no specific commands for detection are documented.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the undici WebSocket client library to a patched version.
- Upgrade to undici version 6.24.0 or later if using the 6.x series.
- Upgrade to undici version 7.24.0 or later if using the 7.x series.
No application-level mitigations or workarounds exist because the decompression occurs before message delivery, so patching is the only effective solution.