CVE-2026-1526
📋 TL;DR
The undici WebSocket client is vulnerable to a denial-of-service attack where a malicious WebSocket server can send a small compressed frame that expands to consume all available memory, crashing the Node.js process. This affects any application using the undici library's WebSocket client with permessage-deflate compression enabled.
💻 Affected Systems
- undici
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage as Node.js processes crash due to memory exhaustion, potentially affecting entire applications or servers.
Likely Case
Targeted DoS attacks against specific services using undici WebSocket client, causing intermittent crashes and service disruption.
If Mitigated
Minimal impact with proper memory limits and monitoring in place.
🎯 Exploit Status
Exploitation requires a malicious WebSocket server that the client connects to. The attack is simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.19.4
Vendor Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
Restart Required: Yes
Instructions:
1. Update undici to version 6.19.4 or later using npm update undici. 2. Restart all Node.js applications using undici. 3. Verify the update with npm list undici.
🔧 Temporary Workarounds
Disable permessage-deflate compression
allDisable WebSocket compression to prevent exploitation of this vulnerability
// When creating WebSocket client: new WebSocket(url, { perMessageDeflate: false })
🧯 If You Can't Patch
- Implement network controls to restrict WebSocket connections to trusted servers only
- Deploy memory monitoring and automatic restart mechanisms for Node.js processes
🔍 How to Verify
Check if Vulnerable:
Check undici version with npm list undici. If version is below 6.19.4, the system is vulnerable.Check Version:
npm list undici | grep undiciVerify Fix Applied:
After updating, verify version is 6.19.4 or higher with npm list undici.📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes with out-of-memory errors
- Abnormal memory consumption spikes in WebSocket connections
Network Indicators:
- Unusually small compressed WebSocket frames followed by memory exhaustion
SIEM Query:
source="nodejs" AND ("out of memory" OR "heap out of memory") AND process="node"