CVE-2026-1528
📋 TL;DR
This vulnerability allows a malicious server to send specially crafted WebSocket frames with extremely large length values, causing undici's ByteParser to overflow and crash the Node.js process with a fatal TypeError. It affects any application using vulnerable versions of the undici HTTP client library for Node.js.
💻 Affected Systems
- undici
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service - the Node.js process terminates, disrupting all services running on that process.
Likely Case
Service disruption through process termination when connecting to malicious or compromised servers.
If Mitigated
No impact if patched or if applications don't connect to untrusted servers.
🎯 Exploit Status
Exploitation requires control of the server the client connects to, or ability to intercept/modify WebSocket traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.24.0 or v7.24.0
Vendor Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
Restart Required: Yes
Instructions:
1. Check current undici version: npm list undici. 2. Update package.json to require undici >=6.24.0 (for v6) or >=7.24.0 (for v7). 3. Run npm update undici. 4. Restart all Node.js applications.
🔧 Temporary Workarounds
Restrict WebSocket connections
allOnly allow WebSocket connections to trusted, known servers
Use process monitoring with auto-restart
linuxImplement process monitoring that automatically restarts crashed Node.js processes
pm2 start app.js --watch
systemctl enable node-app
🧯 If You Can't Patch
- Implement network segmentation to restrict which servers applications can connect to
- Deploy WebSocket proxies that validate frame sizes before forwarding to vulnerable clients
🔍 How to Verify
Check if Vulnerable:
Check if undici version is below 6.24.0 (for v6) or below 7.24.0 (for v7)Check Version:
npm list undici | grep undiciVerify Fix Applied:
Confirm undici version is 6.24.0+ or 7.24.0+ and test WebSocket functionality📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes with TypeError related to ByteParser
- WebSocket connection failures followed by process termination
Network Indicators:
- Large WebSocket frames (64-bit length) from servers
- Unusual WebSocket traffic patterns
SIEM Query:
process.name:"node" AND error:"TypeError" AND message:"ByteParser"