CVE-2026-1526

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.24.0

Description The undici WebSocket client is susceptible to a denial-of-service condition due to unrestricted memory usage during permessage-deflate decompression. When a WebSocket connection utilizes the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limits on the decompressed data size. A malicious WebSocket server can transmit a small compressed frame, known as a "decompression bomb," which expands to a substantial size in memory. This can lead to the Node.js process exhausting available memory, resulting in a crash or unresponsiveness. The issue resides within the PerMessageDeflate.decompress() method, which accumulates decompressed data in memory without verifying if the total size exceeds a safe limit.

Recommendations Upgrade to version 7.24.0 or later.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409

Related Identifiers

ALSA-2026:7080

ALSA-2026:7123

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

CLEANSTART-2026-CE10526

CLEANSTART-2026-DV49099

CLEANSTART-2026-GS57401

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CVE-2026-1526

GHSA-VRM6-8VPV-QV8Q

RHSA-2026:7080

RHSA-2026:7123

RHSA-2026:7302

RHSA-2026:7310

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

RHSA-2026:7983

Affected Products

Rocky Linux

Undici

CVE-2026-1526

Weakness Enumeration

Related Identifiers

Affected Products

References · 213