Description
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Published: 2026-01-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion (Denial of Service)
Action: Patch
AI Analysis

Impact

This vulnerability allows a malicious server to send HTTP responses that include an unbounded number of compression steps via the Content-Encoding header. The undici HTTP client, before version 7.18.0 and 6.23.0, does not limit the depth of the decompression chain and respects the default maxHeaderSize. An attacker can craft a response that triggers thousands of decompression stages, which consumes excessive CPU cycles and allocates large amounts of memory in the client process, potentially bringing the application to a halt or forcing a restart. The weakness matches CWE-770, Resource Exhaustion.

Affected Systems

The issue impacts the Node.js Undici HTTP client. Any application built with undici version earlier than 7.18.0 (in the 7.x series) or earlier than 6.23.0 (in the 6.x series) is vulnerable. The vulnerability is known to exist on all operating systems where node.js and undici run, as the library is pure JavaScript.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of <1% shows a very low probability of exploitation in the general population. The vulnerability is not currently listed in CISA’s KEV catalog. An attacker would need to control or trick the client into connecting to a malicious server, which is a likely scenario when the client connects to external services over an insecure or partially trusted network. If exploited, the client could suffer from high CPU usage and memory exhaustion, leading to denial of service for the affected application. The absence of a known workaround means that only an update provides remediation.

Generated by OpenCVE AI on April 18, 2026 at 06:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the undici package to version 7.18.0 or 6.23.0 or later; the patch removes the unbounded decompression chain detection.
  • Audit all outgoing HTTP requests in the application and confirm that no unexpected Content‑Encoding headers are forwarded from untrusted origins; if they exist, strip or reject them before processing.
  • Implement monitoring for unusually high CPU or memory consumption, and trigger alerts or scale‑out mechanisms if thresholds are exceeded.

Generated by OpenCVE AI on April 18, 2026 at 06:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9mf-h72j-4rw9 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 21 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

Fri, 16 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
Vendors & Products Nodejs
Nodejs undici

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Title Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nodejs Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T20:17:20.208Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22036

cve-icon Vulnrichment

Updated: 2026-01-14T19:18:13.756Z

cve-icon NVD

Status : Modified

Published: 2026-01-14T19:16:47.833

Modified: 2026-01-22T21:15:50.070

Link: CVE-2026-22036

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-14T19:07:13Z

Links: CVE-2026-22036 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses