Impact
The vulnerability allows a malicious WebSocket server to transmit many small fragments that each satisfy the per‑frame size limit but collectively exceed the cumulative payload threshold. This causes the undici client process to allocate an unbounded amount of memory, leading to memory exhaustion and an application denial of service. The weakness stems from insufficient enforcement of the cumulative message size and is a classic resource‑exhaustion flaw.
Affected Systems
Applications that employ the undici WebSocket client (new WebSocket(...)) configured with a maxPayloadSize are impacted. The regression is isolated to undici version 8.1.0; releases prior to 6.25.0 included the cumulative check and remain safe, and the 7.x line never implemented maxPayloadSize and is also unaffected. Updating to undici 8.5.0 or later resolves the issue.
Risk and Exploitability
The CVSS score of 7.5 indicates high seriousness. The EPSS score is less than 1 %, implying a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers must control or compromise a WebSocket endpoint to which the client connects; by sending a large number of compliant fragments the attacker forces unlimited memory allocation. The impact is limited to the client process and can lead to application downtime.
OpenCVE Enrichment
Github GHSA