Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Published: 2026-03-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unbounded memory consumption
Action: Immediate Patch
AI Analysis

Impact

The undici WebSocket client performs permessage-deflate decompression without monitoring the size of decompressed data. A single small compressed frame can inflate into an extremely large payload, exhausting process memory and causing the Node.js application to crash or become unresponsive. This is a classic buffer uncontrolled growth attack that leads to denial of service.

Affected Systems

Any Node.js application that imports the undici package, particularly when using the permessage-deflate WebSocket extension, is affected. The CVE does not specify vulnerable versions, so all releases that include the vulnerable PerMessageDeflate.decompress() method are at risk.

Risk and Exploitability

The vulnerability scores a CVSS of 7.5 (High) and has an EPSS below 1 %, indicating that exploitation is unlikely but still possible. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by hosting a malicious WebSocket server that sends a compression bomb; the client will allocate memory without bound, leading to a resource exhaustion attack. The impact is limited to the Node.js process that handles the connection, potentially affecting the availability of the entire application.

Generated by OpenCVE AI on March 20, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to the latest version containing the fix for permessage-deflate decompression
  • If an upgrade is not immediately possible, apply a code patch that limits the decompressed size or switches to a safer decompression implementation
  • Implement monitoring to detect unusually large memory usage by undici processes and log or restart affected instances
  • Consider network-level controls to restrict connections to trusted WebSocket servers and reject unverified permessage-deflate requests

Generated by OpenCVE AI on March 20, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
History

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Title undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-13T18:04:20.683Z

Reserved: 2026-01-28T12:05:07.017Z

Link: CVE-2026-1526

cve-icon Vulnrichment

Updated: 2026-03-13T18:04:13.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T21:16:23.933

Modified: 2026-03-20T15:56:47.337

Link: CVE-2026-1526

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-12T20:08:05Z

Links: CVE-2026-1526 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:05:16Z

Weaknesses