CVE-2026-22036
EUVD-2026-242214.01.2026, 19:16
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nodejs | undici | 𝑥 < 6.23.0 |
| nodejs | undici | 7.0.0 ≤ 𝑥 < 7.18.2 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| nodejs20 |
| ||||||
| nodejs20-devel |
| ||||||
| nodejs20-docs |
| ||||||
| nodejs22 |
| ||||||
| nodejs22-devel |
| ||||||
| nodejs22-docs |
| ||||||
| npm20 |
| ||||||
| npm22 |
|