Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Description

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici’s ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Recommendation

Update the undici package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 7.0.0, < 7.24.0

  >= 6.0.0, < 6.24.0**

• Patched version(s): **7.24.0

  6.24.0**

References

• GHSA-f269-vfmq-vjvj
• hackerone.com
• cna.openjsf.org
• CVE-2026-1528
• CWE-1284
• CWE-248
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - CVE-2026-2229
• jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions - CVE-2026-25535
• Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - CVE-2026-1526
• Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter - CVE-2026-29793

Tags:

npm

undici