CVE-2026-2229

EUVD-2026-11704

12.03.2026, 21:16

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  *  The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  *  The createInflateRaw() call is not wrapped in a try-catch block
  *  The resulting exception propagates up through the call stack and crashes the Node.js process

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
openjs	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-248 - Uncaught Exception
An exception is thrown from a function, but it is not caught.

References

https://cna.openjsf.org/security-advisories.html

https://datatracker.ietf.org/doc/html/rfc7692

https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8

https://hackerone.com/reports/3487486

https://nodejs.org/api/zlib.html#class-zlibinflateraw