CVE-2026-2229
Received Received - Intake
Denial-of-Service in undici WebSocket via Invalid Compression Parameter

Publication date: 2026-03-12

Last updated on: 2026-03-20

Assigner: openjs

Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2229
EUVD
EUVD-2026-11704
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nodejs undici to 6.24.0 (exc)
nodejs undici From 7.0.0 (inc) to 7.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The undici WebSocket client has a vulnerability that allows a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate compression extension.

When a WebSocket client connects, it advertises support for permessage-deflate compression. A malicious server can respond with an invalid server_max_window_bits value outside the valid range of 8 to 15 defined by zlib.

Upon receiving compressed frames, the client tries to create a zlib InflateRaw instance using this invalid windowBits value, which causes a synchronous RangeError exception.

Because the code does not properly validate the numeric range of server_max_window_bits and does not catch this exception, the error propagates and immediately terminates the Node.js process, resulting in a denial-of-service.

Impact Analysis

This vulnerability can cause your Node.js process running the undici WebSocket client to crash immediately when connecting to a malicious WebSocket server.

The impact is a denial-of-service (DoS) attack, where the availability of your application or service is disrupted due to the uncaught exception triggered by invalid compression parameters.

No confidentiality or integrity is affected, but the high impact on availability can cause service interruptions and downtime.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises when a WebSocket client using the undici library connects to a server that responds with an invalid server_max_window_bits value outside the valid zlib range of 8-15 during the permessage-deflate extension negotiation.

Detection involves monitoring WebSocket handshake messages to identify if the server advertises a server_max_window_bits parameter with a value outside the valid range (8-15).

Since the vulnerability triggers a synchronous RangeError exception causing process termination, monitoring Node.js process crashes or logs for such exceptions can also indicate exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the undici WebSocket client library to version 6.24.0 or later, or 7.24.0 or later, where this vulnerability has been patched.

No specific workarounds or alternative mitigations are mentioned in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart