What is the CVSS score of CVE-2026-12151?

CVE-2026-12151 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Which versions of undici are affected by CVE-2026-12151?

The undici WebSocket client library in versions 6.17.0 and later can be crashed by malicious or compromised WebSocket servers through memory exhaustion, causing denial of service to dependent Node.js…

How to fix or mitigate CVE-2026-12151?

24 hours: Enumerate all applications and services using undici WebSocket client versions 6.17.0 or later; document which applications connect to external or untrusted WebSocket servers. 7 days: Restrict undici WebSocket connections to trusted, approved server endpoints; if vulnerable versions cannot be retained operationally, evaluate downgrade to undici pre-6.17.0. 30 days: Implement connection-level rate limiting and frame-count thresholds at the reverse proxy or API gateway layer; establish automated memory monitoring and alert triggers for affected Node.js processes.

undici CVE-2026-12151

HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-06-17 openjs

Denial Of Service Undici

7.5

CVSS 3.1 · Vendor: openjs

Severity by source

Vendor (openjs) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

vuln.today AI

7.5 HIGH

Client connects over the network to an attacker-controlled server with no auth or interaction; impact is pure availability via memory exhaustion, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 16:53 vuln.today

DescriptionCVE.org

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

AnalysisAI

Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or compromised WebSocket server to crash Node.js client processes by streaming an unbounded number of small or empty continuation frames. Because undici only caps cumulative payload bytes via maxPayloadSize and does not limit fragment count, attackers can drive unbounded memory growth without ever exceeding the configured size threshold. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Node.js target using undici WebSocket client

Delivery

Induce outbound connection to attacker-controlled ws:// endpoint

Exploit

Complete WebSocket handshake

Install

Stream unbounded empty continuation frames

Bypass maxPayloadSize via fragment count

Execute

Exhaust client process heap memory

Impact

Crash Node.js worker causing denial of service

Recon

Identify Node.js target using undici WebSocket client

Delivery

Induce outbound connection to attacker-controlled ws:// endpoint

Exploit

Complete WebSocket handshake

Install

Stream unbounded empty continuation frames

Bypass maxPayloadSize via fragment count

Execute

Exhaust client process heap memory

Impact

Crash Node.js worker causing denial of service

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the victim application use undici's WebSocket client (new WebSocket() or WebSocketStream) at version 6.17.0 or later and that the attacker be able to cause that client to initiate a WebSocket connection to an attacker-controlled or compromised endpoint - for example through a user-supplied target URL, an SSRF gadget, or a compromised upstream service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a pure availability impact reachable over the network with no authentication or interaction, yielding a 7.5 High score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker stands up a malicious WebSocket server and lures a vulnerable Node.js application into connecting - for example via a webhook URL field, an SSRF primitive, or a compromised upstream service the client federates with. Once the handshake completes the server streams a never-ending sequence of tiny or empty continuation frames without setting FIN, and undici buffers per-fragment state until the Node process exhausts heap memory and crashes. …
Remediation	Vendor-released patch: upgrade undici to 6.26.0, 7.28.0, or 8.5.0 or later on the corresponding release line, as documented in the upstream GHSA-vxpw-j846-p89q advisory (https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q) and the OpenJS CNA index (https://cna.openjsf.org/security-advisories.html); for Node.js runtimes that ship undici internally, take the Node.js release that bundles a fixed undici version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Enumerate all applications and services using undici WebSocket client versions 6.17.0 or later; document which applications connect to external or untrusted WebSocket servers. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-9675 HIGH This Week

7.5 Jun 17

Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t

CVE-2026-6734 HIGH This Week

7.5 Jun 17

Cross-origin request misrouting in undici (Node.js HTTP client) versions 7.23.0 through 8.1.0 occurs when Socks5ProxyAge

CVE-2026-9697 HIGH This Week

7.4 Jun 17

TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform

CVE-2026-9678 MEDIUM This Month

5.9 Jun 17

Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response

CVE-2026-9679 MEDIUM This Month

5.9 Jun 17

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to se

CVE-2026-12151 vulnerability details – vuln.today

Back

undici CVE-2026-12151

Severity by source

CVSS VectorVendor: openjs

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code