CVE-2026-2229
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| undici | undici | < 6.24.0; 7.0.0 < 7.24.0 | affected |
| undici | undici | 6.24.0: 7.24.0 | unaffected |
Weaknesses
- CWE-248: CWE-248 Uncaught exception
- CWE-1284: CWE-1284 Improper validation of specified quantity in input
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
Additional References
- https://access.redhat.com/security/cve/CVE-2026-2229
- https://bugzilla.redhat.com/show_bug.cgi?id=2447143
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2229.json
- https://access.redhat.com/errata/RHSA-2026:17789
- https://access.redhat.com/errata/RHSA-2026:7310
- https://access.redhat.com/errata/RHSA-2026:7080
- https://access.redhat.com/errata/RHSA-2026:7675
- https://access.redhat.com/errata/RHSA-2026:7123
- https://access.redhat.com/errata/RHSA-2026:7670
- https://access.redhat.com/errata/RHSA-2026:7983
- https://access.redhat.com/errata/RHSA-2026:7302
- https://access.redhat.com/errata/RHSA-2026:7350
- https://access.redhat.com/errata/RHSA-2026:34342
- https://access.redhat.com/errata/RHSA-2026:9742
- https://access.redhat.com/errata/RHSA-2026:13826
- https://access.redhat.com/errata/RHSA-2026:5807
- https://access.redhat.com/errata/RHSA-2026:21772
- https://access.redhat.com/errata/RHSA-2026:21931
References
- https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
- https://hackerone.com/reports/3487486
- https://cna.openjsf.org/security-advisories.html
- https://datatracker.ietf.org/doc/html/rfc7692
- https://nodejs.org/api/zlib.html#class-zlibinflateraw
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.