Description
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The undici WebSocket client enforces a maximum payload size on the cumulative byte count of fragments in a WebSocket message but mistakenly does not enforce a limit on the number of fragments. A malicious server can stream a large number of very small or empty continuation frames that individually comply with per-frame and cumulative-size checks, causing the client to allocate progressively more memory until it is exhausted. This resource exhaustion results in a denial of service of the client process. The weakness is an instance of resource exhaustion and memory leak weaknesses.

Affected Systems

Applications that use the undici WebSocket client API (new WebSocket(...)) or the WebSocketStream interface are affected when they connect to any WebSocket endpoint that can be controlled by an attacker. All releases of undici from version 6.17.0 onward contain the vulnerability. The recommended patch is to upgrade to undici 6.26.0 or newer in the 6.x series, 7.28.0 or newer in the 7.x series, or 8.5.0 or newer in the 8.x series.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high‑severity, and the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The flaw is not listed in the CISA KEV catalog. Because the attack requires the attacker to control the WebSocket server that the undici client connects to, the threat is most relevant in scenarios where applications automatically establish WebSocket connections to untrusted servers or where a compromised server can be made to appear legitimate. No workaround is currently available; the only mitigation is to apply the recommended upgrade.

Generated by OpenCVE AI on June 18, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to the patched release (6.26.0+, 7.28.0+, or 8.5.0+).
  • Restrict the undici client from connecting to untrusted or unknown WebSocket endpoints by configuring network controls or firewall rules.
  • Monitor application memory usage and intervene if high memory consumption is detected, restarting the process if necessary.

Generated by OpenCVE AI on June 18, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.
Title undici WebSocket client vulnerable to denial of service via fragment count bypass
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-17T17:30:13.782Z

Reserved: 2026-06-12T18:14:04.454Z

Link: CVE-2026-12151

cve-icon Vulnrichment

Updated: 2026-06-17T17:30:10.410Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T16:05:38Z

Links: CVE-2026-12151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:00:10Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling