Severity
7.5HIGH
EPSS
0.2%
top 57.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 12
Latest updateMar 13
Description
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to cre…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
🔴Vulnerability Details
4GHSA▶
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation↗2026-03-13
OSV▶
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation↗2026-03-13
CVEList▶
undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation↗2026-03-12
OSV▶
CVE-2026-2229: ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in th↗2026-03-12
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-2229 undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter↗2026-03-12