CVE-2026-1528

EPSS 0.13%
Veröffentlicht 12.03.2026 20:21:57
Zuletzt bearbeitet 20.03.2026 15:41:40
Quelle ce714d77-add3-4f53-aff5-83d477
CVE-Watchlists
Login
Unerledigt
Login

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Undici SwPlatformnode.js Version < 6.24.0

Nodejs ≫ Undici SwPlatformnode.js Version >= 7.0.0 < 7.24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.321

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
ce714d77-add3-4f53-aff5-83d477b104bb	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://cna.openjsf.org/security-advisories.html

Vendor Advisory

https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj

Vendor Advisory

https://hackerone.com/reports/3537648

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2026-1528

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1528

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1528

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-1528