Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
- Severity:
- High
Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-vrm6-8vpv-qv8q
- hackerone.com
- cna.openjsf.org
- datatracker.ietf.org
- owasp.org
- CVE-2026-1526
- CWE-409
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - CVE-2026-2229
- Undici has CRLF Injection in undici via `upgrade` option - CVE-2026-1527
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026