CVE-2026-2229

EUVD-2026-11704
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  *  The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  *  The createInflateRaw() call is not wrapped in a try-catch block
  *  The resulting exception propagates up through the call stack and crashes the Node.js process
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
nodejsundici
𝑥
< 6.24.0
nodejsundici
7.0.0 ≤
𝑥
< 7.24.0
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nodejs20
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-debuginfo
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-debugsource
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-devel
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-docs
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-full-i18n
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-libs
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-libs-debuginfo
Amazon Linux 2023
1:20.20.1-1.amzn2023.0.3
fixed
nodejs20-npm
Amazon Linux 2023
1:10.8.2-1.20.20.1.1.amzn2023.0.3
fixed
nodejs22
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-debuginfo
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-debugsource
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-devel
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-docs
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-full-i18n
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-libs
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-libs-debuginfo
Amazon Linux 2023
1:22.22.1-1.amzn2023.0.2
fixed
nodejs22-npm
Amazon Linux 2023
1:10.9.4-1.22.22.1.1.amzn2023.0.2
fixed
nodejs24
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-debuginfo
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-debugsource
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-devel
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-docs
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-full-i18n
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-libs
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-libs-debuginfo
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.2
fixed
nodejs24-npm
Amazon Linux 2023
1:11.9.0-1.24.14.0.1.amzn2023.0.2
fixed
v8-11.3-devel
Amazon Linux 2023
3:11.3.244.8-1.20.20.1.1.amzn2023.0.3
fixed
v8-12.4-devel
Amazon Linux 2023
3:12.4.254.21-1.22.22.1.1.amzn2023.0.2
fixed
v8-13.6-devel
Amazon Linux 2023
3:13.6.233.17-1.24.14.0.1.amzn2023.0.2
fixed
Common Weakness Enumeration
References
https://cna.openjsf.org/security-advisories.html
https://datatracker.ietf.org/doc/html/rfc7692
https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
https://hackerone.com/reports/3487486
https://nodejs.org/api/zlib.html#class-zlibinflateraw