PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1526 Nodejs CVE debrief

CVE-2026-1526 is a high-severity denial-of-service vulnerability in the undici WebSocket client. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold. A malicious WebSocket server can send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability has a CVSS score of 7.5 and is considered high severity. The CVE was published on March 12, 2026, and modified on June 30, 2026

Vendor
Nodejs
Product
Undici
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-12
Original CVE updated
2026-06-30
Advisory published
2026-03-12
Advisory updated
2026-06-30

Who should care

Developers and administrators using the undici WebSocket client in Node.js applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of undici and implementing additional security measures to prevent denial-of-service attacks. Organizations using affected versions of undici should prioritize patching and consider implementing compensating controls to prevent exploitation

Technical summary

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. This allows a malicious WebSocket server to send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold

Defensive priority

High priority should be given to patching affected systems and implementing additional security measures to prevent denial-of-service attacks. This includes updating to a patched version of undici and monitoring for suspicious WebSocket activity

Recommended defensive actions

  • Update to a patched version of undici
  • Implement additional security measures to prevent denial-of-service attacks
  • Monitor for suspicious WebSocket activity
  • Consider implementing compensating controls to prevent exploitation
  • Review and update incident response plans to address potential denial-of-service attacks

Evidence notes

The CVE-2026-1526 vulnerability was published on March 12, 2026, and modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is considered high severity. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold. A malicious WebSocket server can send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive

Official resources

This article is AI-assisted and based on the supplied source corpus.