Home

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

PUBLISHED Reserved 2026-01-28 | Published 2026-03-12 | Updated 2026-03-12 | Assigner openjs




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-409 Improper handling of highly compressed data (data amplification)

Product status

Default status
unaffected

< 6.24.0; 7.0.0 < 7.24.0
affected

6.24.0: 7.24.0
unaffected

Credits

Matteo Collina remediation developer

Ulises Gascón remediation developer

HO9 finder

References

github.com/...undici/security/advisories/GHSA-vrm6-8vpv-qv8q

hackerone.com/reports/3481206

cna.openjsf.org/security-advisories.html

datatracker.ietf.org/doc/html/rfc7692

cve.org (CVE-2026-1526)

nvd.nist.gov (CVE-2026-1526)

Download JSON