CVE-2026-2229

HIGH EPSS 38.3%
Published Mar 12, 20263mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 12, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
38.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-1284
CWE-248

Affected Products 2

VendorProductVersionRange
nodejsundici* <6.24.0
nodejsundici*≥7.0.0  –  <7.24.0

References 5

  • cna.openjsf.org https://cna.openjsf.org/security-advisories.html
    Vendor Advisory
  • datatracker.ietf.org https://datatracker.ietf.org/doc/html/rfc7692
    Technical Description
  • github.com https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
    Vendor Advisory
  • hackerone.com https://hackerone.com/reports/3487486
    Permissions Required
  • nodejs.org https://nodejs.org/api/zlib.html#class-zlibinflateraw
    Technical Description

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.