Description

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

INFO

Published Date :

2026-03-12T20:21:57.775Z

Last Modified :

2026-03-12T20:21:57.775Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-1528 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1528.

URL Resource
https://cna.openjsf.org/security-advisories.html cve-icon cve-icon cve-icon
https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj cve-icon cve-icon cve-icon
https://hackerone.com/reports/3537648 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact