undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Undici WebSocket client crashes via unbounded memory consumption during permessage-deflate decompression (decompression bomb).
Vulnerability
Overview
CVE-2026-1526 is a denial-of-service vulnerability in the undici HTTP/1.1 client for Node.js, specifically in its WebSocket implementation. The bug resides in the PerMessageDeflate.decompress() method, which handles decompression of incoming WebSocket frames when the permessage-deflate extension is negotiated. The method accumulates all decompressed chunks into a single Buffer without enforcing any limit on the total size, allowing a malicious server to send a small compressed frame that expands to an extremely large size in memory—a classic decompression bomb [1][2].
Exploitation
Conditions
Exploitation requires the client to establish a WebSocket connection with a server that negotiates the permessage-deflate extension. The attacker must control the server endpoint or be able to inject malicious frames into an existing connection. No authentication or special network position is needed beyond the ability to send WebSocket frames; the attack is triggered purely by receiving a crafted compressed message [2].
Impact
A successful attack causes the Node.js process to exhaust all available memory, leading to a crash or unresponsiveness. This constitutes a denial of service (DoS) against the application using undici, potentially affecting all users of that service. The OWASP Denial of Service attack category describes such resource exhaustion as a direct threat to availability [3].
Mitigation
Status
As of the publication date (2026-03-12), no patch has been announced in the provided references. Users should monitor the undici repository [2] and the OpenJS Foundation security advisories [4] for updates. Until a fix is released, disabling the permessage-deflate extension on the client side or limiting WebSocket connections to trusted servers may reduce risk.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
1- undici/undiciv5Range: < 6.24.0; 7.0.0 < 7.24.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-vrm6-8vpv-qv8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1526ghsaADVISORY
- cna.openjsf.org/security-advisories.htmlghsaWEB
- datatracker.ietf.org/doc/html/rfc7692ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8qghsaWEB
- hackerone.com/reports/3481206ghsaWEB
- owasp.org/www-community/attacks/Denial_of_ServiceghsaWEB
News mentions
0No linked articles in our index yet.