CVE-2026-12151 undici CVE debrief

Who should care

Developers and administrators using the undici WebSocket client or the WebSocketStream API in their applications should be aware of this vulnerability and take immediate action to upgrade to a patched version. This vulnerability can be exploited by a malicious WebSocket server, making it a significant concern for any application that connects to untrusted or potentially compromised WebSocket endpoints.

Technical summary

The undici WebSocket client enforces a maxPayloadSize limit on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. This allows a malicious WebSocket server to stream many small or empty continuation frames that pass per-frame and cumulative-size validation, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. The vulnerability is rated as HIGH with a CVSS score of 7.5.

Defensive priority

High

Recommended defensive actions

• Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0
• Review and update applications using the undici WebSocket client or the WebSocketStream API
• Ensure that WebSocket connections are only established with trusted endpoints
• Monitor application performance and memory usage for signs of exploitation
• Implement additional security measures to detect and prevent potential attacks
• Consider using alternative WebSocket client libraries that are not affected by this vulnerability

Evidence notes

The information provided is based on the official CVE record and NVD details. The vulnerability was published on June 17, 2026, and modified on the same day. The CVSS score is 7.5, indicating a high severity vulnerability.

Official resources