Ethan Arrowood

**Name of the Vulnerable Software and Affected Versions** undici versions prior to 7.24.0 **Description** The undici WebSocket client is susceptible to a denial-of-service attack because of insufficient validation of the `server max window bits` parameter within the permessage-deflate extension. When a WebSocket client establishes a connection with a server, it automatically signals support for permessage-deflate compression. A malicious server can respond with a `server max window bits` value that is outside the valid range for zlib (8-15). Subsequently, when the server transmits a compressed frame, the client attempts to instantiate a zlib InflateRaw object using this invalid `windowBits` value, leading to a synchronous RangeError that is not handled, ultimately causing the Node.js process to terminate. The issue arises because the `isValidClientWindowBits()` function only verifies that the value consists of ASCII digits, without ensuring it falls within the acceptable range. Additionally, the call to `createInflateRaw()` is not enclosed in a try-catch block, and the resulting exception propagates through the call stack, crashing the process. **Recommendations** Update to undici version 7.24.0 or later.