undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
Summary
| CVE | CVE-2026-2229 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-12 21:16:25 UTC |
| Updated | 2026-07-02 12:17:01 UTC |
| Description | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-248 | CWE-1284 | CWE-248 CWE-248 Uncaught exception | CWE-1284 CWE-1284 Improper validation of specified quantity in input | CWE-248 Uncaught Exception
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:5807 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7310 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7675 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-2229 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| nodejs.org/api/zlib.html | ce714d77-add3-4f53-aff5-83d477b104bb | nodejs.org | Technical Description |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7123 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9742 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21931 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| datatracker.ietf.org/doc/html/rfc7692 | ce714d77-add3-4f53-aff5-83d477b104bb | datatracker.ietf.org | Technical Description |
| access.redhat.com/errata/RHSA-2026:7983 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7350 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7302 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13826 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7670 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2229.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| hackerone.com/reports/3487486 | ce714d77-add3-4f53-aff5-83d477b104bb | hackerone.com | Permissions Required |
| github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:17789 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7080 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Matteo Collina (en)
CNA: Ulises Gascón (en)
CNA: Rafael Gonzaga (en)
CNA: Ethan Arrowood (en)
CNA: Aisle Research (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-12T21:01:29.187Z | Reported to Red Hat. |
| ADP | 2026-03-12T20:27:05.600Z | Made public. |
Solutions
ADP: RHSA-2026:17789: Cryostat 4 on RHEL 9
ADP: RHSA-2026:7310: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:7080: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:7675: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:7123: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:7670: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:7983: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:7302: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7350: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:9742: Red Hat Developer Hub 1.8
ADP: RHSA-2026:13826: Red Hat Developer Hub 1.9
ADP: RHSA-2026:5807: Red Hat OpenShift AI 2.16
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
ADP: RHSA-2026:21931: Red Hat OpenShift Pipelines 1.2
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.