CVE-2026-1528

CWE-248CWE-12849 documents8 sources
Severity
7.5HIGH
EPSS
0.1%
top 65.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs UndiciUndici Undici
Timeline
PublishedMar 12
Latest updateMar 13

Description

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

npmundici6.0.06.24.0+1
NVDnodejs/undici7.0.07.24.0+1
Debiannode-undici< 7.24.5+dfsg+~cs3.2.0-1
CVEListV5undici/undici>= 6.0.0 < 6.24.0; 7.0.0 < 7.24.0

🔴Vulnerability Details

4
GHSA
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client2026-03-13
OSV
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client2026-03-13
CVEList
undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client2026-03-12
OSV
CVE-2026-1528: ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length2026-03-12

📋Vendor Advisories

2
Red Hat
undici: undici: Denial of Service via crafted WebSocket frame with large length2026-03-12
Debian
CVE-2026-1528: node-undici - ImpactA server can reply with a WebSocket frame using the 64-bit length form and...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-1528 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-1528 undici: undici: Denial of Service via crafted WebSocket frame with large length2026-03-12
CVE-2026-1528 (HIGH CVSS 7.5) | ImpactA server can reply with a Web | cvebase.io