Moderate severityOSV Advisory· Published Jan 14, 2026· Updated Jan 22, 2026
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
CVE-2026-22036
Description
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | >= 7.0.0, < 7.18.2 | 7.18.2 |
undicinpm | < 6.23.0 | 6.23.0 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/renovatepkg:apk/wolfi/code-serverpkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/renovatepkg:npm/undicipkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 4.106.3-r2+ 39 more
- (no CPE)range: < 4.106.3-r2
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 8.19.10-r2
- (no CPE)range: < 8.19.10-r2
- (no CPE)range: < 8.19.10-r2
- (no CPE)range: < 9.0.8-r7
- (no CPE)range: < 9.0.8-r7
- (no CPE)range: < 9.0.8-r7
- (no CPE)range: < 9.1.10-r2
- (no CPE)range: < 9.1.10-r2
- (no CPE)range: < 9.2.3-r4
- (no CPE)range: < 9.2.3-r4
- (no CPE)range: < 3.146.0-r2
- (no CPE)range: < 3.147.0-r1
- (no CPE)range: < 0.8.1-r5
- (no CPE)range: < 42.94.1-r2
- (no CPE)range: < 4.106.3-r2
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 2.11.0-r12
- (no CPE)range: < 3.146.0-r2
- (no CPE)range: < 42.94.1-r2
- (no CPE)range: >= 7.0.0, < 7.18.2
- (no CPE)range: < 20.20.0-150600.3.15.1
- (no CPE)range: < 22.22.0-150600.13.12.1
- (no CPE)range: < 22.22.0-160000.1.1
- (no CPE)range: < 22.22.0-1.1
- (no CPE)range: < 24.13.0-2.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 20.20.0-150500.11.24.1
- (no CPE)range: < 20.20.0-150500.11.24.1
- (no CPE)range: < 20.20.0-150500.11.24.1
- (no CPE)range: < 20.20.0-150600.3.15.1
- (no CPE)range: < 20.20.0-150500.11.24.1
- (no CPE)range: < 20.20.0-150600.3.15.1
- (no CPE)range: < 22.22.0-150700.3.6.1
- (no CPE)range: < 22.22.0-150600.13.12.1
- (no CPE)range: < 22.22.0-160000.1.1
- (no CPE)range: < 22.22.0-150600.13.12.1
- (no CPE)range: < 22.22.0-160000.1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g9mf-h72j-4rw9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22036ghsaADVISORY
- github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3ghsax_refsource_MISCWEB
- github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.