CVE-2026-9675
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: openjs

Description
Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-9675
EUVD
EUVD-2026-37752
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
undici undici to 8.5.0 (exc)
undici undici 6.25.0
undici undici 7.x
nodejs undici From 8.0.0 (inc) to 8.4.0 (inc)
nodejs undici 8.1.0
nodejs undici 8.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The undici WebSocket client enforces a maximum payload size for each individual frame but does not enforce a limit on the total size of fragmented, uncompressed messages.

A malicious WebSocket server can exploit this by sending many small fragments that individually pass validation but collectively exceed the configured limit.

This causes unbounded memory growth in the client process, leading to memory exhaustion and a denial of service.

This vulnerability affects undici versions 8.0.0 through 8.4.0, specifically introduced in 8.1.0, and is fixed in version 8.5.0.

Impact Analysis

This vulnerability can cause unbounded memory growth in applications using the undici WebSocket client when connecting to attacker-controlled or compromised WebSocket servers.

The result is memory exhaustion in the client process, which leads to a denial of service condition, making the application unavailable.

No privileges or user interaction are required for exploitation, increasing the risk of impact.

Detection Guidance

Detection of this vulnerability involves identifying usage of the undici WebSocket client versions 8.0.0 through 8.4.0, specifically version 8.1.0, in your applications.

Since the vulnerability is triggered by connecting to attacker-controlled or compromised WebSocket endpoints that send many small fragmented messages, monitoring WebSocket traffic for unusual fragmentation patterns or excessive fragmented message sizes may help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The only effective mitigation is to upgrade the undici WebSocket client to version 8.5.0 or later, where the vulnerability has been patched.

No workarounds are available to mitigate this issue without upgrading.

Compliance Impact

The vulnerability causes a denial of service through unbounded memory growth in the undici WebSocket client, impacting system availability.

There is no information provided about direct effects on data confidentiality, integrity, or privacy that would relate to compliance with standards like GDPR or HIPAA.

Therefore, based on the provided information, this vulnerability primarily affects availability but does not explicitly indicate compliance risks related to common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart