undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client

Vulnerability

Details

CVE-2026-1528 describes an integer overflow in undici's ByteParser when processing WebSocket frames that use the 64-bit length form. If a server sends a frame with an extremely large length value, the parser's internal arithmetic overflows, leading to an invalid state. This results in a fatal TypeError that terminates the client process [2][4].

Exploitation

The attack is straightforward: an attacker-controlled WebSocket server sends a specially crafted frame to a vulnerable undici client. No authentication or special network position is required beyond the ability to establish a WebSocket connection. The client does not need to be tricked into sending any data; merely receiving the malicious frame triggers the overflow [4].

Impact

Successful exploitation causes the undici client to crash with an uncaught TypeError, effectively performing a denial of service (DoS) against the application using undici. Since undici is a core HTTP/1.1 client for Node.js, this can disrupt any service that relies on it for WebSocket communication [2][4].

Mitigation

The vulnerability is patched in undici versions v7.24.0 and v6.24.0. Users should upgrade to these or later versions immediately. No workarounds are available [4].