CVE-2026-9675

Name of the Vulnerable Software and Affected Versions undici version 8.1.0

Description The undici WebSocket client enforces maxPayloadSize on a per-frame basis but fails to enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream numerous small fragments that individually pass validation but collectively exceed the configured limit. This leads to unbounded memory growth in the client process, resulting in memory exhaustion and a denial of service. This issue affects applications using the new WebSocket(...) client that connect to compromised or attacker-controlled endpoints.

Recommendations Upgrade to undici versions 8.5.0 or later.