Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).
CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on undici (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionCVE.org
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
AnalysisAI
Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.
Technical ContextAI
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forge
Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com
Authorization headers are cleared on cross-origin redirect. Rated medium severity (CVSS 6.5), this vulnerability is remo
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to th
Undici is an HTTP/1.1 client for Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection
Cross-origin request misrouting in undici's Socks5ProxyAgent (introduced in 7.23.0, affecting all releases through 8.1.0
Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote
Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is rem
Undici is an HTTP/1.1 client for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
Same weakness CWE-248 – Uncaught Exception
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Liberty Linux 10 | Fixed |
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11703
GHSA-f269-vfmq-vjvj