Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process
Published: 2026-03-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unhandled exception in undici WebSocket client
Action: Patch Now
AI Analysis

Impact

The vulnerability arises when a WebSocket server replies with an invalid server_max_window_bits value outside the zlib‑defined range (8–15). The undici client attempts to create a zlib InflateRaw instance with this out‑of‑range value, causing a synchronous RangeError that is not caught. The exception propagates and terminates the Node.js process, resulting in a denial‑of‑service condition for any application that relies on that client. This bug is a fault in input validation (CWE-1284) that leads to an unhandled exception (CWE-248).

Affected Systems

The undici library, which is the HTTP client used by many Node.js applications, is affected. No specific version range is listed in the advisory, so any version of undici that has not been updated to validate the server_max_window_bits parameter correctly is vulnerable. Users of undici in Node.js projects should assume the risk applies until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 classifies the bug as high severity. The EPSS score of less than 1% indicates a low predicted exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is remote: an attacker who controls a WebSocket server can send the crafted extension during the handshake. This requires no special privilege on the client side, so the vulnerability can be exploited from anywhere the client connects to such a server. Given the straightforward exploitation path and the severity, the risk is elevated for exposed services that rely on undici.

Generated by OpenCVE AI on March 20, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the undici library to the latest release that includes validation for server_max_window_bits
  • Verify that the Node.js application no longer crashes when interacting with external WebSocket servers
  • Apply the patch before the next code deployment and monitor the application health for any unexpected crashes

Generated by OpenCVE AI on March 20, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs undici
CPEs cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Vendors & Products Nodejs
Nodejs undici

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
Title undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
Weaknesses CWE-1284
CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Undici
Undici Undici
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-13T13:06:46.814Z

Reserved: 2026-02-08T17:51:16.985Z

Link: CVE-2026-2229

cve-icon Vulnrichment

Updated: 2026-03-13T13:06:41.726Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T21:16:25.573

Modified: 2026-03-20T15:39:12.240

Link: CVE-2026-2229

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-12T20:27:05Z

Links: CVE-2026-2229 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:24Z

Weaknesses