CVE-2026-22036

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Undici versions prior to 7.18.0 Undici versions prior to 6.23.0

Description Undici is an HTTP/1.1 client for Node.js. A malicious server can insert thousands of compression steps due to an unbounded number of links in the decompression chain and the default maxHeaderSize, leading to high CPU usage and excessive memory allocation. The fetch() API supports chained HTTP encoding algorithms for response content, which is also supported by the undici decompress interceptor.

Recommendations Upgrade to version 7.18.0 or 6.23.0. As a workaround, apply an undici interceptor to filter long Content-Encoding sequences manually.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2026-22036

GHSA-G9MF-H72J-4RW9

OPENSUSE-SU-2026:10074-1

OPENSUSE-SU-2026:10075-1

OPENSUSE-SU-2026:20236-1

SUSE-SU-2026:0295-1

SUSE-SU-2026:0301-1

SUSE-SU-2026:0435-1

SUSE-SU-2026:0457-1

SUSE-SU-2026:20436-1

Affected Products

Undici

CVE-2026-22036

Weakness Enumeration

Related Identifiers

Affected Products

References · 46