Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
- Severity:
- High
Description
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-v9p9-hfj2-hcw8
- hackerone.com
- cna.openjsf.org
- datatracker.ietf.org
- nodejs.org
- CVE-2026-2229
- CWE-248
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability - CVE-2026-44211
- Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-azure - CVE-2026-34750
- Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-gcs - CVE-2026-34750
- Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-r2 - CVE-2026-34750
You might also like:
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026