Skip to main content

Undici CVE-2026-1528

| EUVDEUVD-2026-11703 HIGH
Uncaught Exception (CWE-248)
2026-03-12 ce714d77-add3-4f53-aff5-83d477b104bb GHSA-f269-vfmq-vjvj
7.5
CVSS 3.1 · Vendor: ce714d77-add3-4f53-aff5-83d477b104bb
Share

Severity by source

Vendor (ce714d77-add3-4f53-aff5-83d477b104bb) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).

CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 12, 2026 - 22:55 euvd
EUVD-2026-11703
Analysis Generated
Mar 12, 2026 - 22:55 vuln.today
CVE Published
Mar 12, 2026 - 21:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on undici (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0.

DescriptionCVE.org

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

AnalysisAI

Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.

Technical ContextAI

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in Undici

View all
CVE-2022-35949 CRITICAL POC
9.8 Aug 12

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forge

CVE-2026-12151 HIGH POC
7.5 Jun 17

Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com

CVE-2022-31151 MEDIUM POC
6.5 Jul 21

Authorization headers are cleared on cross-origin redirect. Rated medium severity (CVSS 6.5), this vulnerability is remo

CVE-2022-32210 MEDIUM POC
6.5 Jul 14

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to th

CVE-2023-23936 MEDIUM POC
5.4 Feb 16

Undici is an HTTP/1.1 client for Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,

CVE-2022-35948 MEDIUM POC
5.3 Aug 15

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection

CVE-2026-6734 HIGH
8.8 Jun 17

Cross-origin request misrouting in undici's Socks5ProxyAgent (introduced in 7.23.0, affecting all releases through 8.1.0

CVE-2026-9675 HIGH
7.5 Jun 17

Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t

CVE-2026-2229 HIGH
7.5 Mar 12

Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending

CVE-2026-1526 HIGH
7.5 Mar 12

Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote

CVE-2024-30261 LOW POC
3.5 Apr 04

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is rem

CVE-2023-24807 HIGH
7.5 Feb 16

Undici is an HTTP/1.1 client for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

CVE-2026-1528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy