High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client
CVE-2026-1528
Description
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | >= 6.0.0, < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
51- osv-coords50 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/pelias-apipkg:apk/chainguard/renovatepkg:apk/wolfi/code-serverpkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/renovatepkg:npm/undicipkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs24pkg:rpm/almalinux/nodejs24-develpkg:rpm/almalinux/nodejs24-docspkg:rpm/almalinux/nodejs24-full-i18npkg:rpm/almalinux/nodejs24-libspkg:rpm/almalinux/nodejs24-npmpkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-npmpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-12.4-develpkg:rpm/almalinux/v8-13.6-devel
< 4.110.1-r2+ 49 more
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.7-r0
- (no CPE)range: < 9.2.6-r3
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 7.6.0-r4
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: >= 6.0.0, < 6.24.0
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3.0.1-1.module_el8.10.0+4006+3c416519
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.el10_1
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.