CVE-2026-22036

Medium CVSS: 5.9

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Vendor

Nodejs

Product

Undici

CWE

CWE-770

Yayın Tarihi

2026-01-14 19:16:47

Güncelleme

2026-01-22 21:15:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-770 Undici MEDIUM Nodejs 2026

Referanslar

https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9

Benzer Kayıtlar

Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject…

High

CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's Byt…

High

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_m…

Medium

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulne…

High

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessa…

Medium

CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Co…