CVE-2026-12151

Name of the Vulnerable Software and Affected Versions undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x

Description The WebSocket client fails to limit the number of fragments in a message, only enforcing the maxPayloadSize on the cumulative byte count. A malicious server can send numerous small or empty continuation frames that bypass per-frame and cumulative-size validation, leading to unbounded memory growth, memory exhaustion, and a denial of service. This affects applications using the new WebSocket(...) client or the WebSocketStream API when connecting to a compromised or attacker-controlled endpoint.

Recommendations Upgrade to version 6.26.0 or later for the 6.x branch. Upgrade to version 7.28.0 or later for the 7.x branch. Upgrade to version 8.5.0 or later for the 8.x branch.