CVE-2026-2229
Denial-of-Service in undici WebSocket via Invalid Compression Parameter
Publication date: 2026-03-12
Last updated on: 2026-03-20
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | undici | to 6.24.0 (exc) |
| nodejs | undici | From 7.0.0 (inc) to 7.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The undici WebSocket client has a vulnerability that allows a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate compression extension.
When a WebSocket client connects, it advertises support for permessage-deflate compression. A malicious server can respond with an invalid server_max_window_bits value outside the valid range of 8 to 15 defined by zlib.
Upon receiving compressed frames, the client tries to create a zlib InflateRaw instance using this invalid windowBits value, which causes a synchronous RangeError exception.
Because the code does not properly validate the numeric range of server_max_window_bits and does not catch this exception, the error propagates and immediately terminates the Node.js process, resulting in a denial-of-service.
How can this vulnerability impact me? :
This vulnerability can cause your Node.js process running the undici WebSocket client to crash immediately when connecting to a malicious WebSocket server.
The impact is a denial-of-service (DoS) attack, where the availability of your application or service is disrupted due to the uncaught exception triggered by invalid compression parameters.
No confidentiality or integrity is affected, but the high impact on availability can cause service interruptions and downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when a WebSocket client using the undici library connects to a server that responds with an invalid server_max_window_bits value outside the valid zlib range of 8-15 during the permessage-deflate extension negotiation.
Detection involves monitoring WebSocket handshake messages to identify if the server advertises a server_max_window_bits parameter with a value outside the valid range (8-15).
Since the vulnerability triggers a synchronous RangeError exception causing process termination, monitoring Node.js process crashes or logs for such exceptions can also indicate exploitation attempts.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the undici WebSocket client library to version 6.24.0 or later, or 7.24.0 or later, where this vulnerability has been patched.
No specific workarounds or alternative mitigations are mentioned in the available resources.