Description
Impact:
The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.

Patches:
Upgrade to undici >= 8.5.0.

Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious WebSocket server to transmit many small fragments that each satisfy the per‑frame size limit but collectively exceed the cumulative payload threshold. This causes the undici client process to allocate an unbounded amount of memory, leading to memory exhaustion and an application denial of service. The weakness stems from insufficient enforcement of the cumulative message size and is a classic resource‑exhaustion flaw.

Affected Systems

Applications that employ the undici WebSocket client (new WebSocket(...)) configured with a maxPayloadSize are impacted. The regression is isolated to undici version 8.1.0; releases prior to 6.25.0 included the cumulative check and remain safe, and the 7.x line never implemented maxPayloadSize and is also unaffected. Updating to undici 8.5.0 or later resolves the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates high seriousness. The EPSS score is less than 1 %, implying a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers must control or compromise a WebSocket endpoint to which the client connects; by sending a large number of compliant fragments the attacker forces unlimited memory allocation. The impact is limited to the client process and can lead to application downtime.

Generated by OpenCVE AI on June 18, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade undici to version 8.5.0 or later.
  • If an immediate upgrade is not possible, restrict outgoing WebSocket connections to trusted or internal servers and monitor for abnormal memory usage.
  • Configure a watchdog or health check that restarts the client process if its memory consumption exceeds a safe threshold.

Generated by OpenCVE AI on June 18, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38rv-x7px-6hhq undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Undici
Undici undici
Vendors & Products Undici
Undici undici

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.
Title undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-17T17:29:42.926Z

Reserved: 2026-05-27T07:10:38.904Z

Link: CVE-2026-9675

cve-icon Vulnrichment

Updated: 2026-06-17T17:29:28.032Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T16:20:32Z

Links: CVE-2026-9675 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling