SB20260424137 - Multiple vulnerabilities in undici

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.

Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.

2) CRLF injection (CVE-ID: CVE-2026-1527)

The vulnerability allows a remote attacker to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.

The vulnerability exists due to improper neutralization of CRLF sequences in the upgrade option of client.request() when processing user-controlled input. A remote attacker can supply a specially crafted upgrade value to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.

User interaction is required because an application must pass user-controlled input to the upgrade option.

3) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.

The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.

4) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.

5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-2581)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in DeduplicationHandler when processing deduplicated requests with large or chunked response bodies from an attacker-controlled or untrusted upstream endpoint. A remote attacker can trigger concurrent identical requests that cause response data to accumulate in memory to cause a denial of service.

Only applications with interceptors.deduplicate() enabled are vulnerable.

6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.

Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.

Remediation

Install update from vendor's website.

References

• https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
• https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
• https://github.com/advisories/GHSA-4992-7rv2-5pvq
• https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
• https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
• https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h
• https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm