VYPR
Moderate severityOSV Advisory· Published Jan 14, 2026· Updated Jan 22, 2026

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

CVE-2026-22036

Description

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
undicinpm
>= 7.0.0, < 7.18.27.18.2
undicinpm
< 6.23.06.23.0

Affected products

41

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.