PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1528 Nodejs CVE debrief

CVE-2026-1528 is a high-severity vulnerability in the Node.js Undici library. The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length, causing undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process. The vulnerability was patched in undici versions v7.24.0 and v6.24.0. Users are advised to upgrade to these versions or later. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Vendor
Nodejs
Product
Undici
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-12
Original CVE updated
2026-06-30
Advisory published
2026-03-12
Advisory updated
2026-06-30

Who should care

Developers and administrators using the Node.js Undici library should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to the patched versions of undici (v7.24.0 or v6.24.0) and ensuring that all affected systems are updated. Additionally, users should monitor their systems for any suspicious activity and be prepared to respond to potential denial-of-service (DoS) attacks.

Technical summary

The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length. This causes undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process. The vulnerability is caused by a lack of proper input validation in the ByteParser. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity vulnerability that can be exploited remotely with low attack complexity and no privileges or user interaction required.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited remotely and has a high CVSS score. Users should upgrade to the patched versions of undici (v7.24.0 or v6.24.0) as soon as possible. Additionally, users should monitor their systems for any suspicious activity and be prepared to respond to potential denial-of-service (DoS) attacks.

Recommended defensive actions

  • Upgrade to undici version v7.24.0 or v6.24.0 or later
  • Monitor systems for suspicious activity
  • Be prepared to respond to potential denial-of-service (DoS) attacks
  • Review and update incident response plans
  • Ensure all affected systems are updated

Evidence notes

The vulnerability was patched in undici versions v7.24.0 and v6.24.0. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length, causing undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process.

Official resources

This article is AI-assisted and based on the supplied source corpus.