Description
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Published: 2026-03-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a 64‑bit length overflow in undici's ByteParser when a WebSocket frame contains an exceptionally large length field. The overflow corrupts internal arithmetic, putting the parser into an invalid state and causing a fatal TypeError that terminates the Node.js process. This results in a denial‑of‑service condition for any application using undici, with the weakness linked to integer overflow (CWE‑1284) and unchecked error handling (CWE‑248).

Affected Systems

The flaw affects the undici HTTP client library used in Node.js environments. Versions before 7.24.0 and 6.24.0 are vulnerable. Undici is widely employed in server‑side JavaScript projects that establish outbound WebSocket connections.

Risk and Exploitability

The CVSS score of 7.5 marks the problem as high severity, while an EPSS of less than 1% indicates a low likelihood that this vulnerability will be actively exploited. The issue is not listed in the CISA KEV catalog. An attacker must be able to send a malicious WebSocket frame with an oversized 64‑bit length to a server that a running undici client connects to; upon receipt, the client will crash and stop functioning until restarted.

Generated by OpenCVE AI on March 20, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the undici library to version 7.24.0 or later (or 6.24.0 or later) and rebuild the application.
  • Verify that the upgraded application starts correctly and handles WebSocket frames as expected.
  • Implement or enable application‑level monitoring to detect unexpected process terminations and apply automatic restart or fail‑over mechanisms.

Generated by OpenCVE AI on March 20, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Title undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client
Weaknesses CWE-1284
CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-13T13:04:57.048Z

Reserved: 2026-01-28T12:05:10.024Z

Link: CVE-2026-1528

cve-icon Vulnrichment

Updated: 2026-03-13T13:04:19.272Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T21:16:25.330

Modified: 2026-03-20T15:41:40.110

Link: CVE-2026-1528

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-12T20:21:57Z

Links: CVE-2026-1528 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:25Z

Weaknesses