Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
- Severity:
- High
Description
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.24.0 < 6.24.0** Patched version(s): **7.24.0 6.24.0**
References
- GHSA-v9p9-hfj2-hcw8
- hackerone.com
- cna.openjsf.org
- datatracker.ietf.org
- nodejs.org
- CVE-2026-2229
- CWE-248
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - CVE-2026-1528
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on March 13, 2026