PatchSiren cyber security CVE debrief
CVE-2026-1528 Nodejs CVE debrief
CVE-2026-1528 is a high-severity vulnerability in the Node.js Undici library. The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length, causing undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process. The vulnerability was patched in undici versions v7.24.0 and v6.24.0. Users are advised to upgrade to these versions or later. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
- Vendor
- Nodejs
- Product
- Undici
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the Node.js Undici library should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to the patched versions of undici (v7.24.0 or v6.24.0) and ensuring that all affected systems are updated. Additionally, users should monitor their systems for any suspicious activity and be prepared to respond to potential denial-of-service (DoS) attacks.
Technical summary
The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length. This causes undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process. The vulnerability is caused by a lack of proper input validation in the ByteParser. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity vulnerability that can be exploited remotely with low attack complexity and no privileges or user interaction required.
Defensive priority
High priority should be given to patching this vulnerability, as it can be exploited remotely and has a high CVSS score. Users should upgrade to the patched versions of undici (v7.24.0 or v6.24.0) as soon as possible. Additionally, users should monitor their systems for any suspicious activity and be prepared to respond to potential denial-of-service (DoS) attacks.
Recommended defensive actions
- Upgrade to undici version v7.24.0 or v6.24.0 or later
- Monitor systems for suspicious activity
- Be prepared to respond to potential denial-of-service (DoS) attacks
- Review and update incident response plans
- Ensure all affected systems are updated
Evidence notes
The vulnerability was patched in undici versions v7.24.0 and v6.24.0. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability occurs when a server replies with a WebSocket frame using the 64-bit length form and an extremely large length, causing undici's ByteParser to overflow internal math, resulting in an invalid state and a fatal TypeError that terminates the process.
Official resources
-
CVE-2026-1528 CVE record
CVE.org
-
CVE-2026-1528 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb - Permissions Required
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.