CVE-2026-1528

HIGH 7.5

undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

CWE	CWE-248 CWE-1284
Vendor	undici
Product	undici
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for undici undici

Be the first to know when new high vulnerabilities affecting undici undici are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

undici / undici

>= 6.0.0 < 6.24.0; 7.0.0 < 7.24.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj hackerone.com: https://hackerone.com/reports/3537648 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

Matteo Collina Ulises Gascón