CVE-2026-2229

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.24.0

Description The undici WebSocket client is susceptible to a denial-of-service attack because of insufficient validation of the server max window bits parameter within the permessage-deflate extension. When a WebSocket client establishes a connection with a server, it automatically signals support for permessage-deflate compression. A malicious server can respond with a server max window bits value that is outside the valid range for zlib (8-15). Subsequently, when the server transmits a compressed frame, the client attempts to instantiate a zlib InflateRaw object using this invalid windowBits value, leading to a synchronous RangeError that is not handled, ultimately causing the Node.js process to terminate. The issue arises because the isValidClientWindowBits() function only verifies that the value consists of ASCII digits, without ensuring it falls within the acceptable range. Additionally, the call to createInflateRaw() is not enclosed in a try-catch block, and the resulting exception propagates through the call stack, crashing the process.

Recommendations Update to undici version 7.24.0 or later.