CVE-2026-12151
published 2026-06-17CVE-2026-12151: Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.57%
42.9th percentile
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| nodejs | nodejs | — | — |
| nodejs | undici | >= 6.17.0 < 6.27.0 | 6.27.0 |
| nodejs | undici | >= 7.0.0 < 7.28.0 | 7.28.0 |
| nodejs | undici | >= 8.0.0 < 8.5.0 | 8.5.0 |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
vendor_redhat·2026-06-17·CVSS 7.5
CVE-2026-12151 [HIGH] CWE-770 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to
GHSA
undici WebSocket client vulnerable to denial of service via fragment count bypass
ghsa·2026-06-19
CVE-2026-12151 [HIGH] CWE-400 undici WebSocket client vulnerable to denial of service via fragment count bypass
undici WebSocket client vulnerable to denial of service via fragment count bypass
## Impact
The undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (`new WebSocket(...)`) or the `WebSocketStream` API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
## Patches
VulDB
undici up to 6.25.x/7.27.x/8.4.x WebSocketStream API resource consumption (EUVD-2026-37747)
vuldb·2026-06-17
CVE-2026-12151 [LOW] undici up to 6.25.x/7.27.x/8.4.x WebSocketStream API resource consumption (EUVD-2026-37747)
A vulnerability classified as problematic has been found in undici up to 6.25.x/7.27.x/8.4.x. Affected is an unknown function of the component WebSocketStream API. Performing a manipulation results in resource consumption.
This vulnerability was named CVE-2026-12151. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
CVEList
undici WebSocket client vulnerable to denial of service via fragment count bypass
cvelistv5·2026-06-17·CVSS 7.5
CVE-2026-12151 [HIGH] CWE-400 undici WebSocket client vulnerable to denial of service via fragment count bypass
undici WebSocket client vulnerable to denial of service via fragment count bypass
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches: Upgrade to u
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12151 nodejs24: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
bugzilla·2026-06-17
CVE-2026-12151 [HIGH] CVE-2026-12151 nodejs24: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
CVE-2026-12151 nodejs24: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-12151 nodejs20: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
bugzilla·2026-06-17
CVE-2026-12151 [HIGH] CVE-2026-12151 nodejs20: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
CVE-2026-12151 nodejs20: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
bugzilla·2026-06-17
CVE-2026-12151 [HIGH] CVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
CVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
Impact:
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Pa
Bugzilla
CVE-2026-12151 nodejs22: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
bugzilla·2026-06-17
CVE-2026-12151 [HIGH] CVE-2026-12151 nodejs22: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
CVE-2026-12151 nodejs22: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-12151 fbthrift: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
bugzilla·2026-06-17
CVE-2026-12151 [HIGH] CVE-2026-12151 fbthrift: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
CVE-2026-12151 fbthrift: undici: Denial of Service due to unbounded memory growth via WebSocket frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
https://cna.openjsf.org/security-advisories.htmlhttps://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89qhttps://access.redhat.com/security/cve/CVE-2026-12151https://bugzilla.redhat.com/show_bug.cgi?id=2489980https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12151.json
2026-06-17
Published