Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc

Description

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

• Affected version(s): **< 6.23.0

  >= 7.0.0, < 7.18.2**

• Patched version(s): **6.23.0

  7.18.2**

References

• GHSA-g9mf-h72j-4rw9
• CVE-2026-22036
• CWE-770
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
• Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
• Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22707
• Undici has an HTTP Request/Response Smuggling issue - CVE-2026-1525

You might also like:

How to Use SmartScanner for Securing Your Node.js Applications

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

undici