CVE-2026-2229

EPSS 0.19%
Veröffentlicht 12.03.2026 20:27:05
Zuletzt bearbeitet 20.03.2026 15:39:12
Quelle ce714d77-add3-4f53-aff5-83d477
CVE-Watchlists
Login
Unerledigt
Login

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  *  The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  *  The createInflateRaw() call is not wrapped in a try-catch block
  *  The resulting exception propagates up through the call stack and crashes the Node.js process

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Undici SwPlatformnode.js Version < 6.24.0

Nodejs ≫ Undici SwPlatformnode.js Version >= 7.0.0 < 7.24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.403

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
ce714d77-add3-4f53-aff5-83d477b104bb	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://cna.openjsf.org/security-advisories.html

Vendor Advisory

https://datatracker.ietf.org/doc/html/rfc7692

Technical Description

https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8

Vendor Advisory

https://hackerone.com/reports/3487486

Permissions Required

https://nodejs.org/api/zlib.html#class-zlibinflateraw

Technical Description