CVE-2026-1526
Received Received - Intake
Unbounded Memory Consumption DoS in undici WebSocket Client

Publication date: 2026-03-12

Last updated on: 2026-03-20

Assigner: openjs

Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in theΒ PerMessageDeflate.decompress()Β method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1526
EUVD
EUVD-2026-11699
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nodejs undici to 6.24.0 (exc)
nodejs undici From 7.0.0 (inc) to 7.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability affects the undici WebSocket client library when it uses the permessage-deflate extension to decompress incoming compressed WebSocket frames.'}, {'type': 'paragraph', 'content': 'The issue lies in the PerMessageDeflate.decompress() method, which decompresses incoming data without enforcing any limit on the size of the decompressed output.'}, {'type': 'paragraph', 'content': 'A malicious WebSocket server can exploit this by sending a small compressed frame that expands into a very large amount of data in memory, known as a "decompression bomb."'}, {'type': 'paragraph', 'content': 'This causes the Node.js process using undici to consume excessive memory, potentially crashing or becoming unresponsive due to memory exhaustion.'}] [1]

Impact Analysis

The vulnerability can lead to a remote denial-of-service (DoS) attack against any Node.js application using the undici WebSocket client.

By sending a specially crafted compressed frame, an attacker can cause the application to consume unbounded memory, exhausting native or external memory resources.

This memory exhaustion can cause the Node.js process to crash or become unresponsive, disrupting service availability.

There are no application-level mitigations or workarounds because the decompression happens before message delivery.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability because the issue occurs during the decompression of WebSocket frames within the undici WebSocket client. The attack involves a malicious server sending a small compressed frame that expands to a very large size in memory, causing the Node.js process to exhaust memory and crash or become unresponsive.

Since the vulnerability manifests as unbounded memory consumption and process crashes or unresponsiveness, monitoring Node.js application memory usage and crash logs may help detect exploitation attempts.

No application-level mitigations or workarounds exist because decompression happens before message delivery, and no specific commands for detection are documented.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the undici WebSocket client library to a patched version.

  • Upgrade to undici version 6.24.0 or later if using the 6.x series.
  • Upgrade to undici version 7.24.0 or later if using the 7.x series.

No application-level mitigations or workarounds exist because the decompression occurs before message delivery, so patching is the only effective solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart