CVE-2026-1526

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.24.0

Description The undici WebSocket client is susceptible to a denial-of-service condition due to unrestricted memory usage during permessage-deflate decompression. When a WebSocket connection utilizes the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limits on the decompressed data size. A malicious WebSocket server can transmit a small compressed frame, known as a "decompression bomb," which expands to a substantial size in memory. This can lead to the Node.js process exhausting available memory, resulting in a crash or unresponsiveness. The issue resides within the PerMessageDeflate.decompress() method, which accumulates decompressed data in memory without verifying if the total size exceeds a safe limit.

Recommendations Upgrade to version 7.24.0 or later.