SB20260424137 - Multiple vulnerabilities in undici
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)
CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.
Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.
2) CRLF injection (CVE-ID: CVE-2026-1527)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
The vulnerability exists due to improper neutralization of CRLF sequences in the upgrade option of client.request() when processing user-controlled input. A remote attacker can supply a specially crafted upgrade value to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
User interaction is required because an application must pass user-controlled input to the upgrade option.
3) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)
CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.
The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.
4) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)
CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.
5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-2581)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in DeduplicationHandler when processing deduplicated requests with large or chunked response bodies from an attacker-controlled or untrusted upstream endpoint. A remote attacker can trigger concurrent identical requests that cause response data to accumulate in memory to cause a denial of service.
Only applications with interceptors.deduplicate() enabled are vulnerable.
6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to smuggle HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.
Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.
Remediation
Install update from vendor's website.
References
- https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
- https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
- https://github.com/advisories/GHSA-4992-7rv2-5pvq
- https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
- https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
- https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h
- https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm