Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc
- Severity:
- Medium
Description
The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **< 6.23.0 >= 7.0.0, < 7.18.2** Patched version(s): **6.23.0 7.18.2**
References
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- Undici has CRLF Injection in undici via `upgrade` option - CVE-2026-1527
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 22, 2026