undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Undici WebSocket client crashes on invalid server_max_window_bits due to missing validation and uncaught exception.
Vulnerability
Overview
The undici WebSocket client is vulnerable to a denial-of-service (DoS) attack through improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a client connects to a WebSocket server, it advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside the valid zlib range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination [1][2].
Root
Cause and Exploitation
The vulnerability exists because the isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the validly falls within the 8-15 range. Additionally, the createInflateRaw() call is not wrapped in a try-catch block, so the resulting exception propagates up the call stack and crashes the Node.js process. An attacker can exploit this by controlling a WebSocket server that the undici client connects to, sending a crafted extension negotiation response with an invalid server_max_window_bits value [1.
Impact
Successful exploitation leads to immediate termination of the Node.js process, resulting in a denial of service unavailability. The attack requires no authentication and can be performed by any malicious WebSocket server that the client connects to. This is a classic uncaught exception DoS vulnerability in a widely used HTTP/1.1 client library for Node.js [3].
Mitigation
As of the publication date (2026-03-12), no patch has been announced. Users should monitor the undici repository and the OpenJS Foundation security advisories for updates [4]. Until a fix is available, avoid connecting to untrusted WebSocket servers or consider implementing a workaround that validates the server_max_window_bits parameter before passing it to zlib.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 6.24.0 | 6.24.0 |
undicinpm | >= 7.0.0, < 7.24.0 | 7.24.0 |
Affected products
1- undici/undiciv5Range: < 6.24.0; 7.0.0 < 7.24.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-v9p9-hfj2-hcw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2229ghsaADVISORY
- cna.openjsf.org/security-advisories.htmlghsaWEB
- datatracker.ietf.org/doc/html/rfc7692ghsaWEB
- github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8ghsaWEB
- hackerone.com/reports/3487486ghsaWEB
- nodejs.org/api/zlib.htmlghsaWEB
News mentions
0No linked articles in our index yet.