undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
51- osv-coords50 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/pelias-apipkg:apk/chainguard/renovatepkg:apk/wolfi/code-serverpkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/renovatepkg:npm/undicipkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs24pkg:rpm/almalinux/nodejs24-develpkg:rpm/almalinux/nodejs24-docspkg:rpm/almalinux/nodejs24-full-i18npkg:rpm/almalinux/nodejs24-libspkg:rpm/almalinux/nodejs24-npmpkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-npmpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-12.4-develpkg:rpm/almalinux/v8-13.6-devel
< 4.110.1-r2+ 49 more
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.7-r0
- (no CPE)range: < 9.2.6-r3
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 9.3.2-r0
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 7.6.0-r4
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 4.110.1-r2
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 3.179.1-r1
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 6.24.0
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.el10_1
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:22.22.2-1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3.0.1-1.module_el8.10.0+4006+3c416519
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.el10_1
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 2021.06-6.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
- (no CPE)range: < 3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-v9p9-hfj2-hcw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2229ghsaADVISORY
- cna.openjsf.org/security-advisories.htmlghsaWEB
- datatracker.ietf.org/doc/html/rfc7692ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8ghsaWEB
- hackerone.com/reports/3487486ghsaWEB
- nodejs.org/api/zlib.htmlghsaWEB
News mentions
0No linked articles in our index yet.