CVE-2026-22036

EUVD-2026-2422
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
nodejsundici
𝑥
< 6.23.0
nodejsundici
7.0.0 ≤
𝑥
< 7.18.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
no-dsa
bookworm (security)
vulnerable
forky
7.18.2+dfsg+~cs3.2.0-1
fixed
sid
7.18.2+dfsg+~cs3.2.0-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9