CVE-2026-1526
Severity
7.5HIGH
EPSS
0.0%
top 94.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 12
Latest updateMar 13
Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to e…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
🔴Vulnerability Details
4OSV
▶
GHSA
▶
OSV▶
CVE-2026-1526: The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression↗2026-03-12
CVEList▶
undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression↗2026-03-12
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-1526 undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression↗2026-03-12