7.5

CVE-2026-1528

undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsUndici SwPlatformnode.js Version < 6.24.0
NodejsUndici SwPlatformnode.js Version >= 7.0.0 < 7.24.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.49% 0.383
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ce714d77-add3-4f53-aff5-83d477b104bb 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://cna.openjsf.org/security-advisories.html
Vendor Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
Vendor Advisory
https://hackerone.com/reports/3537648
Permissions Required
https://access.redhat.com/errata/RHSA-2026:5807
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:21931
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:7080
https://access.redhat.com/errata/RHSA-2026:7123
https://access.redhat.com/errata/RHSA-2026:7302
https://access.redhat.com/errata/RHSA-2026:7310
https://access.redhat.com/errata/RHSA-2026:7350
https://access.redhat.com/errata/RHSA-2026:7670
https://access.redhat.com/errata/RHSA-2026:7675
https://access.redhat.com/errata/RHSA-2026:7983
https://access.redhat.com/security/cve/CVE-2026-1528
https://bugzilla.redhat.com/show_bug.cgi?id=2447145
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1528.json
https://access.redhat.com/errata/RHSA-2026:34342