Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

INFO

Published Date :

2026-03-12T20:08:05.950Z

Last Modified :

2026-03-12T20:08:05.950Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-1526 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1526.

URL Resource
https://cna.openjsf.org/security-advisories.html cve-icon cve-icon cve-icon
https://datatracker.ietf.org/doc/html/rfc7692 cve-icon cve-icon cve-icon
https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q cve-icon cve-icon cve-icon
https://hackerone.com/reports/3481206 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact