PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2229 Nodejs CVE debrief

CVE-2026-2229 is a high-severity vulnerability in the undici WebSocket client, allowing for a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. A malicious server can respond with an out-of-range server_max_window_bits value, causing the client to crash. The vulnerability exists due to inadequate validation and exception handling in the isValidClientWindowBits function and createInflateRaw call. This issue affects undici versions prior to 6.24.0 and 7.24.0.

Vendor
Nodejs
Product
Undici
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-12
Original CVE updated
2026-06-30
Advisory published
2026-03-12
Advisory updated
2026-06-30

Who should care

Developers and administrators using the undici WebSocket client in Node.js applications should prioritize patching this vulnerability to prevent potential denial-of-service attacks. Given the high CVSS score of 7.5, organizations should treat this issue with urgency. Affected versions include undici prior to 6.24.0 and 7.24.0.

Technical summary

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). The client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability is caused by the isValidClientWindowBits() function only validating that the value contains ASCII digits, not that it falls within the valid range, and the createInflateRaw() call not being wrapped in a try-catch block.

Defensive priority

High priority should be given to patching CVE-2026-2229, as it allows for a denial-of-service attack with a CVSS score of 7.5. Immediate action is necessary to prevent potential disruptions to Node.js applications utilizing the undici WebSocket client.

Recommended defensive actions

  • Update undici to version 6.24.0 or later, or 7.24.0 or later.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Review and update Node.js applications to ensure they are using patched versions of undici.
  • Consider implementing compensating controls, such as rate limiting or IP blocking, to mitigate potential attacks.
  • Verify that vendor advisories and security bulletins are being actively monitored and addressed.

Evidence notes

The CVE-2026-2229 vulnerability was publicly disclosed on March 12, 2026, and has a CVSS score of 7.5. The vulnerability affects undici versions prior to 6.24.0 and 7.24.0. Multiple sources, including NVD and vendor advisories, confirm the vulnerability and provide additional context.

Official resources

This article was generated with AI assistance based on the supplied source corpus.