CVE-2026-22036
📋 TL;DR
This vulnerability in Undici HTTP client allows a malicious server to send specially crafted compressed responses that force the client to perform excessive decompression steps, causing high CPU usage and memory allocation. It affects Node.js applications using vulnerable Undici versions to make HTTP requests to untrusted servers. The impact is denial of service through resource exhaustion.
💻 Affected Systems
- Undici HTTP client for Node.js
📦 What is this software?
Undici by Nodejs
Undici by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for the Node.js application due to CPU and memory exhaustion, potentially causing application crashes or unresponsiveness.
Likely Case
Degraded performance and increased resource consumption when interacting with malicious or compromised servers, leading to service disruption.
If Mitigated
Minimal impact if patched or if applications only communicate with trusted servers.
🎯 Exploit Status
Exploitation requires control of the server responding to HTTP requests. No authentication needed on client side.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.18.0 or 6.23.0
Vendor Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
Restart Required: Yes
Instructions:
1. Update Undici dependency to version 7.18.0 or higher (for major version 7) or 6.23.0 or higher (for major version 6). 2. Run 'npm update undici' or 'yarn upgrade undici'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Limit maxHeaderSize
allReduce the maximum allowed header size to limit compression chain exploitation
const { Client } = require('undici');
const client = new Client('http://example.com', { maxHeaderSize: 16384 });
Disable compression
allConfigure Undici to not accept compressed responses
const { Client } = require('undici');
const client = new Client('http://example.com', { headers: { 'accept-encoding': 'identity' } });
🧯 If You Can't Patch
- Implement network filtering to restrict HTTP requests to trusted servers only
- Monitor CPU and memory usage for abnormal spikes during HTTP operations
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list undici' to see installed version. If version is below 7.18.0 (for v7) or below 6.23.0 (for v6), you are vulnerable.Check Version:
npm list undici | grep undiciVerify Fix Applied:
After updating, verify with 'npm list undici' that version is 7.18.0+ or 6.23.0+. Test HTTP requests to ensure normal operation.📡 Detection & Monitoring
Log Indicators:
- Unusual CPU spikes during HTTP requests
- Memory allocation errors in Node.js logs
- Slow response times from HTTP client operations
Network Indicators:
- HTTP responses with unusually large or complex compression headers
- Requests to suspicious or untrusted servers
SIEM Query:
source="nodejs" AND ("CPU spike" OR "memory allocation" OR "slow http") AND process="node"